THIS MONTH THE DOCTOR TACKLES...

> VPN vulnerability

> Application tabs

> Podman acceleration

Are VPNs toast?

I’ve been reading a news story on the TunnelVision vulnerability for virtual private networks.

Apparently, this—excuse the pun—tunnel-sized hole in VPN security has existed since 2002. It says the vulnerability allows attackers to force VPN apps to send and receive at least some of your traffic outside of the encrypted tunnel. The claim is that you’re only safe when the VPN runs on an Android device or Linux PC.

Is this true, and if so, does it mean the VPN networks I’ve been using for all these years have been utterly useless in all that time?

—Caitlin H Tracey

THE DOCTOR RESPONDS: The headline of this vulnerability does make for grim reading. That said, in practical terms, the risk can be minimized and even eliminated completely. That’s because this vulnerability targets the network you’re connecting through. It makes use of a weakness in how DCHP servers, which allocate IP addresses to devices that aren’t configured to manually set these themselves, work.

The weakness is known as Option 121, and allows networks to change the route traffic takes to certain IP addresses or websites, basically giving bad actors the opportunity to reroute traffic outside of the VPN’s encrypted tunnel.

The attack requires someone to have administrative control over whichever local network you’re connecting to, which is the first piece of good news. If you connect through your phone’s cellular network, or you’re using a VPN at home through your own local network, then you should be immune from this type of attack.