(obligatory I’m not a network surgeon this is likely not perfectly correct)
The article mentions network interfaces, DHCP and gateways so real quick: a network interface usually represents a physical connection to a network, like an Ethernet port or a WiFi card. DHCP is a protocol that auto configured network routes and addresses once a physical connection is established, like when you jack in via an ethernet cable, it tells you the IP address you should go by, the range of IP address on the network you’ve connected to, where you can resolve domain names to IP addresses. It also tells you the address of a default gateway to route traffic to, if you’re trying to reach something outside of this network.
You can have more than one set of this configuration. Your wired network might tell you that your an address is 10.0.0.34, anything that starts with 10.0.0. is local, and to talk to 10.0.0.254 if you’re trying to get to anything else. If at the same time you also connect to a wireless network, that might tell you that your address is 192.168.0.69, 192.168.0.* is your local network, and 192.168.0.254 is your gateway out. Now your computer wants to talk to 4.2.2.2. Should it use the wireless interface and go via 192.168.0.254? or the wired one and use 10.0.0.254? Your os has a routing table that includes both of those routes, and based on the precedence of the entries in it, it’ll pick one.
VPN software usually works by creating a network interface on your computer, similar to an interface to a WiFi card, but virtual. It then asks the OS to route all network traffic, through the new interface it created. Except of course traffic from the VPN software, because that still needs to get out to the VPN provider (let’s say, at 1.3.3.7) via real Internet.
So if you’re following along at time, your routing table at this point might look like this:
- traffic to 1.3.3.7 should go to 10.0.0.254 via the wired interface
- all traffic should go to the VPN interface
- traffic to 10.0.0.* should go to the wired interface
- all traffic should go to 10.0.0.254 via the wired interface
- traffic to 192.168.0.* should go to the wireless interface
- all traffic should go to 192.168.0.254 via the wireless interface
whenever your os wants to send network packets, it’ll go down this list of rules until one applies. With that VPN turned on, most of the time, only those two first rules will ever apply.
If I’m reading the article correctly, what this attack does, is run a DHCP server, that when handing out routing rules, will send one with a flag that causes, for example, the last two rules to be placed at the top of the list instead of the bottom. Your VPN will still be on, the configuration it’s requested the OS to make would still be in place, and yet all your traffic will be routed out to this insecure wireless network that’s somehow set itself as the priority route over anything else.
Bricriu@lemmy.world 6 months ago
My understanding is that if you run a rogue discoverable DHCP server in a local network with a particular set of options set and hyper-specific routing rules, you can clobber the routing rules set by the VPN software on any non-Android device, and route all traffic from those devices through arbitrary midpoints that you control.
But IANANE (I am not a network engineer) so please correct my misinterpretations.
applepie@kbin.social 6 months ago
this implies physical access or at least access within the network?
SzethFriendOfNimi@lemmy.world 6 months ago
Keeping in mind that may mean that somebody like a cellular provider could do so. Since your local network in that context would be them.
sailingbythelee@lemmy.world 6 months ago
Exactly. And if your ISP or cellular provider wants, or is forced, to gather information about your internet activities, they can almost certainly find a way. The cheap consumer-grade VPN services most of us use just prevent casual or automated observers from easily detecting your device’s IP address. For most people that just want to torrent casually or use public wifi, it’s enough.
lemmyng@lemmy.ca 6 months ago
It has implications on the effectiveness of VPNs on public networks.
transientpunk@sh.itjust.works 6 months ago
That, or the ability to spoof it
Pretzilla@lemmy.world 6 months ago
Or I expect compromise of anything on the LAN that can create a rogue DNS server that can override the routing table.
But I might be missing something