Virtual private networking (VPN) companies market their services as a way to prevent anyone from snooping on your Internet usage. But new research suggests this is a dangerous assumption when connecting to a VPN via an untrusted network, because attackers on the same network could force a target’s traffic off of the protection provided by their VPN without triggering any alerts to the user.

Image: Shutterstock.

When a device initially tries to connect to a network, it broadcasts a message to the entire local network stating that it is requesting an Internet address. Normally, the only system on the network that notices this request and replies is the router responsible for managing the network to which the user is trying to connect.

The machine on a network responsible for fielding these requests is called a Dynamic Host Configuration Protocol (DHCP) server, which will issue time-based leases for IP addresses. The DHCP server also takes care of setting a specific local address — known as an Internet gateway — that all connecting systems will use as a primary route to the Web.

VPNs work by creating a virtual network interface that serves as an encrypted tunnel for communications. But researchers at Leviathan Security say they’ve discovered it’s possible to abuse an obscure feature built into the DHCP standard so that other users on the local network are forced to connect to a rogue DHCP server.

“Our technique is to run a DHCP server on the same network as a targeted VPN user and to also set our DHCP configuration to use itself as a gateway,” Leviathan researchers Lizzie Moratti and Dani Cronce wrote. “When the traffic hits our gateway, we use traffic forwarding rules on the DHCP server to pass traffic through to a legitimate gateway while we snoop on it.”

The feature being abused here is known as DHCP option 121, and it allows a DHCP server to set a route on the VPN user’s system that is more specific than those used by most VPNs. Abusing this option, Leviathan found, effectively gives an attacker on the local network the ability to set up routing rules that have a higher priority than the routes for the virtual network interface that the target’s VPN creates.

“Pushing a route also means that the network traffic will be sent over the same interface as the DHCP server instead of the virtual network interface,” the Leviathan researchers said. “This is intended functionality that isn’t clearly stated in the RFC [standard]. Therefore, for the routes we push, it is never encrypted by the VPN’s virtual interface but instead transmitted by the network interface that is talking to the DHCP server. As an attacker, we can select which IP addresses go over the tunnel and which addresses go over the network interface talking to our DHCP server.”

Leviathan found they could force VPNs on the local network that already had a connection to arbitrarily request a new one. In this well-documented tactic, known as a DHCP starvation attack, an attacker floods the DHCP server with requests that consume all available IP addresses that can be allocated. Once the network’s legitimate DHCP server is completely tied up, the attacker can then have their rogue DHCP server respond to all pending requests.

“This technique can also be used against an already established VPN connection once the VPN user’s host needs to renew a lease from our DHCP server,” the researchers wrote. “We can artificially create that scenario by setting a short lease time in the DHCP lease, so the user updates their routing table more frequently. In addition, the VPN control channel is still intact because it already uses the physical interface for its communication. In our testing, the VPN always continued to report as connected, and the kill switch was never engaged to drop our VPN connection.”

The researchers say their methods could be used by an attacker who compromises a DHCP server or wireless access point, or by a rogue network administrator who owns the infrastructure themselves and maliciously configures it. Alternatively, an attacker could set up an “evil twin” wireless hotspot that mimics the signal broadcast by a legitimate provider.

ANALYSIS

Bill Woodcock is executive director at Packet Clearing House, a nonprofit based in San Francisco. Woodcock said Option 121 has been included in the DHCP standard since 2002, which means the attack described by Leviathan has technically been possible for the last 22 years.

“They’re realizing now that this can be used to circumvent a VPN in a way that’s really problematic, and they’re right,” Woodcock said.

Woodcock said anyone who might be a target of spear phishing attacks should be very concerned about using VPNs on an untrusted network.

“Anyone who is in a position of authority or maybe even someone who is just a high net worth individual, those are all very reasonable targets of this attack,” he said. “If I were trying to do an attack against someone at a relatively high security company and I knew where they typically get their coffee or sandwich at twice a week, this is a very effective tool in that toolbox. I’d be a little surprised if it wasn’t already being exploited in that way, because again this isn’t rocket science. It’s just thinking a little outside the box.”

Successfully executing this attack on a network likely would not allow an attacker to see all of a target’s traffic or browsing activity. That’s because for the vast majority of the websites visited by the target, the content is encrypted (the site’s address begins with https://). However, an attacker would still be able to see the metadata — such as the source and destination addresses — of any traffic flowing by.

KrebsOnSecurity shared Leviathan’s research with John Kristoff, founder of dataplane.org and a PhD candidate in computer science at the University of Illinois Chicago. Kristoff said practically all user-edge network gear, including WiFi deployments, support some form of rogue DHCP server detection and mitigation, but that it’s unclear how widely deployed those protections are in real-world environments.

“However, and I think this is a key point to emphasize, an untrusted network is an untrusted network, which is why you’re usually employing the VPN in the first place,” Kristoff said. “If [the] local network is inherently hostile and has no qualms about operating a rogue DHCP server, then this is a sneaky technique that could be used to de-cloak some traffic – and if done carefully, I’m sure a user might never notice.”

MITIGATIONS

According to Leviathan, there are several ways to minimize the threat from rogue DHCP servers on an unsecured network. One is using a device powered by the Android operating system, which apparently ignores DHCP option 121.

Relying on a temporary wireless hotspot controlled by a cellular device you own also effectively blocks this attack.

“They create a password-locked LAN with automatic network address translation,” the researchers wrote of cellular hot-spots. “Because this network is completely controlled by the cellular device and requires a password, an attacker should not have local network access.”

Leviathan’s Moratti said another mitigation is to run your VPN from inside of a virtual machine (VM) — like Parallels, VMware or VirtualBox. VPNs run inside of a VM are not vulnerable to this attack, Moratti said, provided they are not run in “bridged mode,” which causes the VM to replicate another node on the network.

In addition, a technology called “deep packet inspection” can be used to deny all in- and outbound traffic from the physical interface except for the DHCP and the VPN server. However, Leviathan says this approach opens up a potential “side channel” attack that could be used to determine the destination of traffic.

“This could be theoretically done by performing traffic analysis on the volume a target user sends when the attacker’s routes are installed compared to the baseline,” they wrote. “In addition, this selective denial-of-service is unique as it could be used to censor specific resources that an attacker doesn’t want a target user to connect to even while they are using the VPN.”

Moratti said Leviathan’s research shows that many VPN providers are currently making promises to their customers that their technology can’t keep.

“VPNs weren’t designed to keep you more secure on your local network, but to keep your traffic more secure on the Internet,” Moratti said. “When you start making assurances that your product protects people from seeing your traffic, there’s an assurance or promise that can’t be met.”

A copy of Leviathan’s research, along with code intended to allow others to duplicate their findings in a lab environment, is available here.

Alexandra Sternlicht, reporting for Fortune (News+):

Evan Turner, who worked at TikTok as a senior data scientist from April to September in 2022, said TikTok concealed the involvement of its Chinese owner during his employment. When hired, Turner initially reported to a ByteDance executive in Beijing. But later that year, after the company announced a major initiative to store TikTok’s U.S. user data only in the U.S., Turner was reassigned — on paper, at least — to an American manager in Seattle, he says. But Turner says a human resources representative revealed during a video conference call that he would, in reality, continue to work with the ByteDance executive. The stealth chain of command contradicted what TikTok’s executives had said about the company’s independence from ByteDance, Turner says. [...]

Nearly every 14 days, as part of Turner’s job throughout 2022, he emailed spreadsheets filled with data for hundreds of thousands of U.S. users to ByteDance workers in Beijing. That data included names, email addresses, IP addresses, and geographic and demographic information of TikTok U.S. users, he says. The goal was to sift through the information to mine for insights like the geographical regions where users watched the most videos of a particular genre and decide how the company should invest to encourage users to be more active. It all took place after the company had started its initiative to keep sensitive U.S. user data in the U.S., and only available to U.S. workers.

“I literally worked on a project that gave U.S. data to China,” Turner says. “They were completely complicit in that. There were Americans that were working in upper management that were completely complicit in this.”

Packy McCormick:

It’s astonishing that we don’t have the political will to simply ban TikTok.

Robyn Dixon, David M. Herszenhorn, and Catherine Belton, reporting for The Washington Post:

Russian opposition leader Alexei Navalny, the defiant anti-corruption crusader and democracy champion who was President Vladimir Putin’s despised nemesis, died suddenly in an Arctic Russian prison colony on Friday, penitentiary officials said, removing the most prominent figure inside Russia willing to challenge the Kremlin’s rule.

Referring to Navalny as Putin’s “nemesis” — which description the Post also uses in its headline — whitewashes just how despicable his attempted assassination, yearslong imprisonment, and now (presumed) actual assassination were. It’s a dysphemism — the opposite of a euphemism. Navalny was a political rival and staunch proponent of democracy. Putin was Navalny’s nemesis, but not the other way around.

His death — foretold as almost inevitable, including by Navalny himself — sent shock waves across Russia and was quickly condemned by global leaders, some of whom joined Russian opposition figures in calling it a state-sponsored murder. Navalny, 47, had appeared a court hearing by video link the day before, seemingly in good health and with his trademark humor intact.

Navalny’s family and his team, who continued to run his political operation in exile, had warned that his life was in danger since his arrest in January 2021, when he returned to Russia after recovering in Germany from being poisoned with a banned nerve agent. An investigation led by Navalny and Bellingcat, an investigative journalism organization, had identified a team of Russian federal security agents as responsible for the assassination attempt, and his supporters noted that in prison he was in the clutches of the very government that had already tried to kill him several times.

Until 2017, Navalny’s death would have been met with bipartisan, near-universal condemnation here in the United States. No more. But it shouldn’t be surprising that a political party that has turned against fair democratic elections — a party whose undisputed leader has, just weeks ago, argued in court that the president of the United States could not be prosecuted in court for ordering the assassination of his political rivals — sees Vladimir Putin’s Russia as a model to follow, not an enemy to defeat.

Nearly 250 years after the founding of our nation, genuine democracy remains a radical — and alas, fragile — idea.

Si Daniels, principal program manager for fonts and typography, Microsoft Office design (my god do people at Microsoft have long titles), in a much-noted post last week on Medium,¹ “A Change of Typeface: Microsoft’s New Default Font Has Arrived”:

Dear every human on earth that’s ever typed text,

I know this is just a lighthearted salutation, but it’s not the typing of text that exposes “everyone” to Office’s default font, it’s the reading of text. I have never regularly used any Office app other than Excel, and that was over 20 years ago. But it’s impossible not to encounter documents created with Office, whether you personally use it or not. Thus, Microsoft’s typographic choices affect us all. (I’ve never once set anything in Arial, for example, but it’s a near daily irritation thanks to its ubiquity.)

For 15 years, our beloved Calibri was Microsoft’s default font and crown keeper of office communications, but as you know, our relationship has come to a natural end. We changed. The technology we use every day has changed. And so, our search of the perfect font for higher resolution screens began. The font needed to have sharpness, uniformity, and be great for display type. It was exciting at times, but also intimidating. How do you replace Calibri? How do you find that one true font that can take its place as the rightful default?

As we shared before, Microsoft commissioned five new fonts: Bierstadt, Grandview, Seaford, Skeena, and Tenorite. It was our hope that one of them would be our next default font for Microsoft 365. All of them were added to the drop-down font picker. From there, as you got a chance to use them, we listened to your impassioned feedback and chose the one that resonated most which was Bierstadt. But as there was a change of guard so too the name. Bierstadt is now known as Aptos.

I don’t know if Microsoft actually chose Aptos (née Bierstadt) based on customer feedback, but it says a lot about the company either way. Companies that have taste do not conduct design via surveys. (My guess is they’re full of shit and probably knew all along they were going to go with Aptos/Bierstadt, the obvious choice, from the start. The “survey”, such that it was, seemingly consisted of just reading people’s replies on Twitter.)

What I find weird about the whole thing is that Microsoft still hasn’t really shown any of these new fonts. They’ve provided glimpses of them, but mostly at large display sizes, not text sizes, which is where they really matter in the context of Office documents. I’m not the only one to find this curious.

So I took matters into my own hands, and created rudimentary specimens for each of Microsoft’s five new typefaces (and Calibri to boot). A–Z in upper- and lowercase, 0–9, and the most common punctuation marks. Then a paragraph of sample text at 11 points. Dear reader, you really owe me for this one, because I had to use the web app version of Word, by way of Microsoft 365² to produce these PDFs. To describe this software as brutal and frustrating is an understatement. Herewith, the PDF specimens, and my brief comments:

• Aptos — Designed by Steve Matteson. I don’t know why Microsoft states as fact that Calibri somehow needed to be replaced as their default font just because it’s 15 years old. A good default font should stand the test of time for decades, if not a literal lifetime.³ But if Microsoft feels the need to chase fleeting fashion rather than timeless style, Aptos is the trendiest of the bunch: grotesque sans serifs are having a moment. Aptos is by no means a rip-off of Apple’s San Francisco, but it is, by far, the most San-Francisco-esque of any of these typefaces. Noteworthy characters: J (stunted and ugly), Q (small tail), R (inspired by Univers?), g (double-story, reminiscent of Franklin Gothic’s), and the numeral 1 (curved hat, a la, of all fonts, Arial). But the most distinctive character is the lowercase L, which has a curve to differentiate it from the uppercase i and numeral 1.

• Grandview — Designer Aaron Bell admits Grandview was largely inspired by DIN, and it certainly looks like it. Far too mechanical to serve as the default font. For chrissake look at those quotation marks and apostrophes.

• Seaford — Designed by Tobias Frere-Jones, Nina Stössinger, and Fred Shallcrass. Seaford strikes me as the only other font in the bunch that might conceivably have been chosen as the new default. If Microsoft had better (any?) taste, they would have chosen Seaford. Seaford strikes my eye as most similar to Martin Majoor’s rightfully renowned and beloved Scala Sans, with — maybe — a wee dose of influence from, of all typefaces, Frere-Jones’s ex-partner Jonathan Hoefler’s aptly-named Ideal Sans.⁴

• Skeena — Designed by John Hudson and Paul Hanslow. Looks like it came off a clip art CD circa 1995.

• Tenorite — Designed by Erin McLaughlin and Wei Huang. Admittedly inspired by Adrian Frutiger’s hall-of-fame typeface Avenir, and looks like it. Too friendly, bordering on childish (see the single-story lowercase “a”), to serve as the default for Office.

• Calibri — Designed by Lucas de Groot. It’s not my bag, personally,⁵ but Calibri is both a very good sans serif and a fine default for Office. There’s no reason Microsoft couldn’t have stuck with Calibri for decades to come.

Postscript

The kerning is rather awful in all of these PDF specimens, at times jarringly so. I suspect, or at least hope, the problem is with the web version of Word (which I presume has its own text rendering engine), not the fonts themselves. Look, for example, at the words milliner and Uncle (which looks like “Unde” in some of them) in the sample text. If these fonts were available for download, I’d have typeset the specimens using better software, but they’re not, so I can’t. I suppose I could fish out the web fonts used by Microsoft 365, but this whole endeavor has consumed enough of my time as it is.

It’s funny what gains traction for the long haul, and what turns out, in hindsight, to be a flash in the pan. I, for one, never would have predicted that WordPress would grow to become, by far, the most popular CMS in the world, and the foundation of a thriving company whose primary goal is making the web a better platform.

Taegan Goddard, writing at Political Wire on Ron DeSantis’s much-ballyhooed campaign launch on Twitter Spaces yesterday:

In the end, the event had all of the appeal of a glitchy conference call.

Politics aside, the event was humiliating for Elon Musk and Twitter. The space crashed on the server side several times, and it crashed the Twitter app on my iPhone at least 6 or 7 times. And even when it finally got going, the audio quality was terrible.