Android for the win.
"Interestingly, Android is the only operating system that fully immunizes VPN apps from the attack because it doesn't implement option 121."
Discussion
Linux in general. The downside is that end users have (for them) confusing high level options such as "Ignore routes obtained via DHCP". Or the even more mysterious low level kernel parameters.
π΅
π€¦β At a quick glance, this seems like a really dumb and obvious vulnerability, no? Security for the average user is so fucked.
Dumb, yes. You shouldn't be able to essentially check a box and negate a VPN π
I love Android
the attack requires someone to plant a DHCP server into your local network... i guess if you are using wifi out and about that can be done anywhere... and i guess that's gonna have to be fixed for other devices as well
it's not relevant to your home network or one competently run, but there's plenty of dodgy stuff out there
i don't see any specifics about VPN apps though... is this all, like openvpn, pptp... wireguard throws up a higher priority network device and establishes the connection outbound so i can't see how this would work on wireguard
https://www.wireguard.com/netns/#the-new-namespace-solution
linux and wireguard > android > ios/macos
Right. It's more of an attack for people that connect to public WiFi, which many of us do when we're traveling. And when I do, I always use a VPN. It's good security practice. Knowing that this good security practice didn't mean shit for most people, if an attacker was present, isn't good.
yeah, it makes me think i'll prefer to use my mobile data if i'm in a sketchy or unfamiliar place... i don't really go out much and i pay almost nothing for my mobile service and almost don't use it at all... it's not a big threat for me but i'm gonna probably think about removing all but my home wifi and that's that... i can even replace my router, and route all my home network traffic through the mini pc i run my bitcoin node on
also, just to point out, this is all moot with IPv6 or static IP addresses
they didn't mention that, but thinking it through, if the device has a network address assigned in another way than DHCP then it's irrelevant also
i set up, briefly, my SSH access to a VPS that went only over wireguard... an OS level feature that makes this namespace configuration simpler would completely obviate the problem... i mean, even windows machines could run this service in WSL2 and only give access to the outside to WSL, or similar with macos...
i love my wireguard VPN... but not for the sense of security against snooping or locating me so much as the way it lets me create my own virtual ... ahem... private networks... which you can't do with most VPN services, only the ones you run yourself, and wireguard is built into linux kernel now too