Two security researchers at Leviathan Security Group have developed a new attack, dubbed TunnelVision, which can force virtually all virtual private network (VPN) applications to send and receive traffic outside of their encrypted tunnel. In other words, it can completely eliminate the functionality that a VPN is intended to provide.
The attack allows the attacker to intercept the victim’s traffic, which is then routed through the attacker’s system, allowing them to read, modify, and leak data while the victim remains connected to both the internet and their VPN.
According to Ars Technica, the vulnerability, identified as CVE-2024-3661, which the attack exploits, has existed since 2002 and it is possible that it has already been used by attackers. Most operating systems like IOS/MacOS, except Android are currently vulnerable to the attack.
The most effective way to protect oneself is to run a VPN in a virtual machine whose network adapter is not in bridged mode. Alternatively, connecting a VPN to the internet via a mobile device’s Wi-Fi network can also provide protection.