VPNs aren't broken – TunnelVision attack is being sensationalized
Experts agree that TunnelVision is being over-inflated.
You may have seen the rumblings about TunnelVision supposedly neutering even the best VPNs. When I first read about it, even I was worried. However, after speaking with VPN and cybersecurity experts, I've realized it's nothing more than sensationalism.
Because this technique has been a possibility for over two decades, it caused an immediate ripple of panic in the industry. VPN users everywhere stopped momentarily, horrified that they might've been acting under a false sense of security.
Let me show you why TunnelVision isn't something you should be worried about and, while problematic, it's pointless trying to use it.
I've been researching VPNs for years, and spend every day testing them, trying to break them, and working with any VPN service that's willing to hear my criticisms. I advocate for digital privacy and better security—all while holding the industry accountable for its actions.
What is TunnelVision?
In a blog post from Leviathan Security Group, TunnelVision is described as a "network technique that bypasses VPN encapsulation" by using an operating system's dynamic host configuration protocol (DHCP).
As Dr Peter Membrey (Chief Engineering Officer at ExpressVPN) explained to me: "Part of this configuration is to tell your device exactly where it should send traffic so that it can reach the internet. There's a lesser-known DHCP feature, however, called Option 121, which enables setting alternative routes for specific destinations—say, the IP addresses that host www.google.com."
He continued, "Any device that supports Option 121 has the potential to have these additional gateways added, diverting the traffic that otherwise would follow the default path."
The problem with TunnelVision
Personally, I draw issue with the way TunnelVision has been represented. I disagree with Leviathan describing it as "decloaking" because only the TLS headers are revealed. If you're using a VPN, the contents of your data packet are still encrypted, because that's done at the device level before it goes out through the network.
TunnelVision isn't decloaking, it's rerouting—there's a difference.
Dr Membrey explained that "[Leviathan] have used the word decloaking, but that term means something very specific. Most people associate the term cloaking with a cloaking device, something found in the Star Trek universe. Decloaking a cloaked ship would mean that you had found a way to take a ship that was invisible, and render it visible.
"In the case of TunnelVision, the traffic was simply routed outside of the tunnel. You can't decloak it, because it was never cloaked in the first place. That's like saying you decloaked a ship because you turned around and saw it sitting there. In both cases it is very unpleasant, but neither qualify as decloaking."
Thankfully, no. Android devices don't have option 121 available in their OS. Similarly, iOS has limitations that also protect against this, so if you're on iPhone or Android, you should be safe.
In other words, you can't decloak what was never cloaked in the first place. Even if someone were to execute this attack against a person using VPN obfuscation (hiding the fact you're using a VPN), it would only come close to decloaking if you were using a sub-par VPN that wasn't doing its obfuscation properly.
Ultimately, there are so many protections in place at a network and device level, so as long as you're using a secure VPN, you'll be fine. This emphasizes the need to avoid VPN services that haven't proven their security.
What's more, when you use TunnelVision, it's immediately apparent that you're doing it. Think of it like a burglar driving a car through your front door instead of trying to pick the lock. Any hacker with an ounce of intelligence wouldn't want you knowing that they're there—so they wouldn't use such an obvious method to get the same data they could obtain perfectly silently through something like forced type 2 DNS leaks, identified by ExpressVPN in a recent paper.
If someone were to execute a TunnelVision attack, it would definitely be a problem, and the information gathered could be used as part of a wider correlation attack to identify you. However, it would take a significant amount of data to do that, and you'd likely be protected by the kill switch beforehand.
What the experts say
Don't just take my word for it, though. Listen to what experts in the industry had to say about the matter:
"Pulling off the attack is not as trivial as has been described, and while it isn’t as difficult as making a cloaking device, it isn’t as simple as pushing a button either. There are a number of things that must align for an attack to be effective. For example, this attack can only really be carried out on public, open WiFi networks. If you’re on a trusted home or office network, you’re not going to be vulnerable. There are also protections that a public Wi-Fi provider can put in place to prevent these attacks being effective as well."
↪ Find out more in ExpressVPN's assessment of TunnelVision.
"To put this very simply: this has been seriously overinflated. If you're at home and no one has hacked your router, you're safe. If you're connecting by cellular network and not anyone else's Wi-Fi, you're safe. If the Wi-Fi network you're joining is not controlled by a malicious actor, you're safe. If you're on a laptop and your kill switch is on, you're safe. And so on. In practice, it takes quite a combination of factors, all existing simultaneously, for this issue to present any risk at all."
"It's an interesting use of DHCP, but it doesn't fundamentally undermine how VPNs work. You're only vulnerable to this attack on public WiFi networks where an attacker either owns the router or can spoof the DHCP responses. Your VPN provider also most likely uses a firewall to stop traffic going outside of the VPN route anyway, so introducing a new route would just knock you offline. Frankly, I think the coverage is a little overblown—this discovery doesn't mean VPNs are useless at all, it just introduces a new threat that has to be taken into account. I think what Leviathan's research does do is widen the security gap between poorly-engineered VPNs and robust VPNs with multiple failsafes and fallbacks."
How to protect yourself against TunnelVision
It's really easy to defend against TunnelVision, and plenty of protections are already in place to keep you safe. Any VPN with a decent kill switch will be able to detect that the traffic isn't going through the VPN network and cut your internet immediately.
If you want a VPN that won't let you down, check out my top three picks below. Take advantage of their money-back guarantees to get three months of free VPN coverage without risking a penny.
1. NordVPN: the best VPN overall
NordVPN beats all other providers hands-down. It's reliable, secure, and always expanding its toolbelt. On top of that, it's budget-friendly, coming in at around $3 per month. See for yourself with a 30-day money-back guarantee and put my favorite VPN through its paces.
2. ExpressVPN: the best for beginners
If you just want an app that'll do everything for you, ExpressVPN has the simplest apps. Express automates all of the configuration, so you get the fastest, most secure connection without having to manually configure anything. While it's twice the price of NordVPN, you can try it with a 30-day money-back guarantee to see how it compares.
3. Surfshark: the best cheap VPN
Don't let the price tag fool you. Surfshark is fast, secure, and every bit as good as NordVPN and ExpressVPN—all for less than $2.50. If you're on a budget, make the most of its unlimited simultaneous connections to protect every device you own—all with a 30-day money-back guarantee to fall back on.
Bottom line: don't worry about TunnelVision
There are so many circumstances that need to align for TunnelVision to genuinely be a threat, and with modern TLS protections, it just isn't as dangerous now as it could've been back in the days when Secure Socket Layer (SSL) encryption was the standard for web protection.
That's not to say it isn't a problem if it happens, but there are just so many reasons not to do it, that it's not worth all of the sensationalism that has been put out there.
Get the best Black Friday deals direct to your inbox, plus news, reviews, and more.
Sign up to be the first to know about unmissable Black Friday deals on top tech, plus get all your favorite TechRadar content.
Andreas has been with TechRadar as Future PLC's Editor-in-Chief of Tech Software since March 2023, supporting content and teams on VPNs, antivirus, and other cybersecurity tools. He's previously written for and led content at ProPrivacy, Business2Community, and The Tech Report. After completing a Master of Research degree, Andreas fell in love with all things cybersecurity; combining his passions to help expose the prevalence of ad tech in the charity sector and raise awareness of digital privacy around the world.
- Sam DawsonVPN and cybersecurity expert