On May 6, 2024, Leviathan Security Group rocked the cybersecurity world through publication of its research on a vulnerability in VPNs (named TunnelVision) that allows attackers to bypass the encapsulation (or encryption) of data and send traffic outside of the VPN tunnel using Dynamic Host Configuration Protocol (DHCP). When the news of TunnelVision broke, cybersecurity experts scrambled to understand and mitigate this vulnerability, which was quickly named a high-priority thread by the Cybersecurity and Infrastructure Security Agency (CISA), which is an extension of the Department of Homeland Security responsible for protecting the United States from cyberattacks.
Why Does This Matter to the Veterinary Profession?
VPNs (Virtual Private Networks) are fairly common tools that allow a device (computer, mobile phone, etc) to connect directly to a remote internal private network, which serves as something like a “tunnel,” allowing only this device to access the network. While telehealth and remote work are not new to the Veterinary profession, there was an explosion in their use and proliferation during the early stages of the COVID-19 pandemic, as Veterinary practices rushed to find alternative ways to meet with patients and provide patient care.
As Veterinary staffing became an increasing challenge in the subsequent years, incentives for some Veterinary and practice professionals allowing them to work from home became more popular, and while there a few ways to accomplish this (third-party Remote Access Tools or Remote Desktop Protocols), many practices opted for VPN tunnels to make this happen. Many Veterinary professionals also use VPNs as a means of protecting their mobile devices from potentially unsecure public Wi-Fi while traveling to conferences for CE or networking.
TunnelVision erodes the wall of safety once thought granted unilaterally by VPNs. VPNs deploy a split-tunneling feature, which allows users to access public networks while connecting to a private network simultaneously. This can be great for reducing latency, but has created the bedrock for the TunnelVision exploit. With attackers able to reroute traffic around the VPN tunnel using this exploit, they can access data once thought completely protected. And while TunnelVision does not impact all mobile devices equally—Android devices seem to be immune to the attack, while iOS, Linux, and other OSes are vulnerable with no known complete fixes—the idea of being able to connect “anywhere, safely” through VPNs is now a thing of the past.
So Is This the Death of VPNs?
Yes . . . and no. And probably not.
VPNs have, until this attack, been regarded as a relatively safe way to help protect your device during remote connection sessions. The VPN companies have marketed the safety and the anonymity they provide extensively through ads found in YouTube videos, podcasts, and other sources of media, to the point where even the “technologically challenged” know enough about VPNs to have them installed. This blanket of goodwill now has some rips and frays in it, and depending on how quickly the news of this exploit spreads—and how good these companies are at damage control—this will impact public trust.
That said, there are some limitations to TunnelVision that limit its impact. For an attacker to execute the TunnelVision exploit, they must already be connected to the network. For private networks, there is a level of protection in place, especially when coupled with multilayered defenses used to protect the network and the endpoints connecting to that network. More concerning, though, are open public networks, such as connecting to Wi-Fi at a coffee shop or an airport. An attacker also connected to the network could attempt to ‘starve’ out the legitimate DHCP server until they control the leases, then hand out “new” leases, essentially becoming the new DHCP server without actually having to take total control of the network.
For public, unprotected Wi-Fi, TunnelVision remains a very clear and very present threat. And for private networks that cut corners on other cyber defenses, the risks persist. This means that the use of VPNs should be limited and gauged carefully, especially in unsafe environments, which unfortunately is one of the selling points of VPNs.
They’ll weather this storm. The ads will continue, the products will persist, and (hopefully) patches and solutions will be rolled out to shore up the TunnelVision vulnerability. Some VPN companies have come out and acknowledged the threat and are working on solutions, while others have ignored the threat (at least in public). The ones acknowledging the vulnerability and the risks are the ones most likely to be ahead of the game when it comes to crafting defenses. But in the meantime, this is a huge dent in the marketing points VPNs have indulged in thus far.
Wait, I Use My VPN When I Travel!
When trying to connect to the Internet in public, VPNs used to be the recommended route. TunnelVision has changed the equation. The best mitigation is to avoid getting on public networks whenever possible and to only connect to networks you control.
What does this look like? Traveling with a 5G hotspot gives you the option to connect your laptop via your phone’s hotspot, then you VPN into your office LAN from there. In this scenario, you control the local network, meaning you have more protection against bad actors. Yes, this will use data on your data plan, but it is better to pay a little for safety than pay a lot if your data or financials become compromised.
Okay, But What Can My Veterinary Practice Do?
If your first thought reading this article was to look at your own cybersecurity protections and shore up your defenses, congratulations! You’re already ahead of the pack. As with any exploit, the key to a safe network is to ensure a multilayered, up-to-date, security conscious posture to protect your practice and your data.
- Limit VPN Usage – This seems like the most obvious solution, but it goes without saying. If you are using VPNs, then you are NOT at zero risk of this exploit, regardless of the defense posture. If VPNs are a vital part of your day-to-day functions, limit their access to key, authorized personnel only; remove any inactive VPN accounts; and roll out MFA (multi-factor authentication) to add an additional layer of protection for anyone connecting in.
- Patching – Your Veterinary practice likely (hopefully) has multiple security applications and devices. Ensure that each of these receives any patches that address CVE-2024-3661 (the assigned designation for the TunnelVision exploit).
- Network Segmentation – A strong network should segment different systems within the network, minimizing lateral movement if an attacker breaches one of the segments. For Veterinary hospitals, your public/guest Wi-Fi should be on a different segment from your VoiP (Voice-Over IP phone systems), which should be on a different segment from your critical systems, for example.
- Managed Detect and Response – MDR tools can monitor traffic within your network, identifying potentially dangerous connections or movements within the network and can quarantine intruders often before harm is done or can spread.
- Zero Trust Architecture – The Zero Trust Architecture (ZTA) security model works from the assumption that no user, no device, and no connection are considered trustworthy within the network until verified. Adopting this security model with your network architecture creates an airtight access management system that dramatically reduces the risk of external breaches.
- Security Awareness Training – Social engineering is still on the rise, and since part of protecting the network is protecting the endpoints (i.e. the devices that connect to the network), we have to train our Veterinary staff to be vigilant at all times.
TunnelVision is not the first cybersecurity threat that Veterinary practices have had to face, nor will it be the last. As with any new threat, the key is to understand the risks, understand what behaviors or technologies within your practice heighten or minimize your risk, and invest in both the resources to defend against these risks and the time to train your staff on what these risks mean to your practice. With TunnelVision, the world feels a bit more unsafe than it was before.
But with heightened vigilance, we can weather this storm!
Resources:
https://www.leviathansecurity.com/blog/tunnelvision
https://arstechnica.com/security/2024/05/novel-attack-against-virtually-all-vpn-apps-neuters-their-entire-purpose/
https://www.cisa.gov/news-events/bulletins/sb24-134