Researchers uncover attack to ‘decloak’ VPN traffic


A novel network technique that bypasses VPN encryption has been revealed by security researchers at Leviathan Security. Dubbed “decloaking,” the technique allows an attacker to force a target’s traffic off their VPN tunnel by exploiting DHCP (Dynamic Host Configuration Protocol) functionality built into operating systems.  

The result is that the user’s traffic is transmitted unencrypted, enabling an attacker on the same network to snoop on their activity—despite their VPN connection appearing intact with no kill switches being tripped.

“We’ve spent extensive time exploring this capability and attempting to notify as many affected parties as possible,” the researchers said. “We also know it is our responsibility as security researchers to inform the security and privacy community, as well as the general public, about this threat.”

The technique potentially dates back to 2002 when DHCP option 121 for static routes was introduced, and the researchers believe it may already have been discovered and used maliciously, warranting public disclosure.

One partial mitigation observed by the researchers involves implementing firewall rules to deny traffic to non-VPN interfaces. However, this creates a side channel enabling targeted denial-of-service censorship or de-anonymizing the traffic destination through traffic analysis—potentially putting journalists, whistleblowers, and others at severe risk in certain parts of the world.

The strongest recommendation from Leviathan Security is for VPN providers to implement network namespaces on operating systems that support them, similar to WireGuard’s documentation. This Linux feature can segregate interfaces and routing tables from the local network.

“It is not feasible to fix the issue by simply removing support for the DHCP feature because this could break Internet connectivity in some legitimate cases,” the researchers explained.

To demonstrate the decloaking technique, Leviathan Security released video proof-of-concept examples and shared lab setup code for others to reproduce the scenarios and test mitigations.

The researchers underscored the shared responsibility among various parties in addressing the issue:

  • Users should avoid untrusted networks for sensitive traffic or use VPN providers with effective mitigations.
  • Network administrators should inform employees about risks of using untrusted networks and implement protections like DHCP snooping.
  • VPN providers must document mitigations/fixes, warn users about the decloaking issue, and revisit marketing claims about securing untrusted networks.  
  • OS maintainers outside Linux should explore enhancing network namespace capabilities.

Leviathan Security also plans to release an “ArcaneTrickster” library to enable further local network security research, demonstrating practical attacks without requiring privileged network positions.

(Photo by Chantha Pheuypraseuth)

See also: FCC fines major telcos for selling users’ location data

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including BlockX, Digital Transformation Week, IoT Tech Expo and AI & Big Data Expo.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: cyber security, cybersecurity, hacking, infosec, Networks, privacy, Security, vpn

👇Follow more 👇


Please enter your comment!
Please enter your name here