Security Bits Logo no alpha channel

Security Bits – 22 December 2019

Note: This is the second of two episodes both recorded on the 15th of December 2019, but released over two weeks.

Security Medium 1 — An Over-hyped VPN Weakness

The internet positively hyper-ventilated when security researchers claimed to have found a bug in the TCP/IP implementation on just about every OS that could compromise just about any VPN using just about any VPN protocol.

They did find something interesting, but it’s not as bad as their summary implies, and nothing like as bad as what many misinterpreted the summary to mean.

What the researchers did find is that it’s possible to detect that a VPN is probably being used on a computer by bombarding it with bogus TCP packets by detecting the presence of a privately addressed virtual network interface on the computer.

VPNs work by adding a virtual network interface to your computer. That virtual network card has a private IP address in the VPN’s private IP range, and is used to route internet traffic through the VPN connection. Since the virtual network interface is internal to the computer the expectation was that it would not be detectable by others on the network, but that’s not quite true.

The most significant thing the researchers found is that a man-in-the-middle (yet another so-called coffee shop wifi attack) can send bogus TCP packets to a computer’s real IP address containing references to a private IP address, and if that private IP address exists within the computer as a virtual network interface the result will be different than when it doesn’t. Using this technique, every possible private IP can be tested, and if one is being used internally, the attackers will learn that fact, and, what that private IP is.

Note that there are three private IP ranges:

  • – (65,536 IP addresses)
  • – (1,048,576 IP addresses)
  • – (16,777,216 IP addresses)

That gives a total theoretical search space of near 18 million IPs that need to be tested with bogus packets. That could take a while, and, it will be very noisy! In reality, many VPNs can be more easily detected because many of the VPN implementations in use have known default address ranges, so attackers can start their search in parts of the possible address space that are known to be heavily used.

Does knowing the private IP give attackers anything of significant value? Nope! That’s a lot of work for very little information.

The researchers went on from there to try to get something of value from their tiny foot-hold of information, but at this stage, their attacks go from impractical to utterly impractical IMO.

Once you know the private IP, you can test if there is an open TCP connection (through the VPN) from the private IP to a given IP address and port, but to do so you need to send many more fake packets — up to one for every possible un-privileged TCP port (that’s a little over 65 thousand ports numbers!).

This doesn’t let attackers see what connections a victim has open, only to detect if the victim has a connection to a given remote IP & port combination.

The researchers didn’t stop there, but at this point, I’d argue their claims become overblown to the point of being misleading.

If you find a connection you can can’t see into it because nothing in this attack breaks VPN encryption!

What the researchers did find is that they could mess with the connection they discovered to cause it to reset, and in some situations, the size of the resulting packets implies a specific protocol is probably in use. They also said they could inject packets into the connection, implying they could inject attack code. This is misleading! It’s true at the lowest underlying TCP level, but, since the VPN encryption on top of TCP has not been broken, they can only inject absolute garbage! At worst they might be able to cause the connection to crash, resulting in the connection dropping.

So, bottom line — the only practical part of this attack is the detection of the private IP. That doesn’t prove that a VPN is in use, but it does strongly suggest one is being used, and the IP address might suggest that a specific VPN product is likely to be in use. This initial attack is only possible if the attackers can get themselves into a man-in-the-middle position, and, even the initial attack is noisy, very likely to set off the kinds of network security devices used by most large organisations. The remainder of the attacks are even noisier and even less practical.

Basically, nothing to worry about, carry on VPNing!


Security Medium 2 — An iOS 13 iPhones 11 Location Tracking Conundrum Explained

Well known security researcher Brian Krebs noticed that the icon indicating that his iPhone 11 was using location services was coming on at unexpected times, even when he had disabled the toggles controlling individual apps and OS features’ use of the service. This looked like a bug, and, it only seemed to affect iPhones 11.

The explanation proved to be very simple — there are regulations governing the use of the new Ultra wide-band Bluetooth spec used by the U1 chip in the latest iPhones. Those chips legally must be disabled in some locations, so to know if the chip can be used, iPhones have to check where they are before they power up the chip. The location information is not stored or shared, it’s just used on the device to implement the legal restrictions.

Apple have said they’ll provide a toggle to disable this functionality, presumably by turning off the U1 chip completely.

Bottom line — there’s nothing nefarious is going on, and there is no danger to user privacy.


Notable Recent News

Suggested Listening

Palate Cleansers

Note: When the textual description of a link is part of the link it is the title of the page being linked to when the text describing a link is not part of the link it is a description written by Bart.

Leave a Reply

Your email address will not be published.

Scroll to top