Discussion in 'all things UNIX' started by ronjor, Dec 5, 2019.
By Eduard Kovacs on December 05, 2019
OK, so this doesn't involve actually hacking the VPN encryption. It's just a local hack that lets attackers fsck with traffic from other devices on the same subnet.
So if you're on a LAN behind a decent NAT router, only other machines on the same LAN are potentially problematic.
And we already know that working on LANs with untrusted neighbors is hugely risky. It's best practice to at least segregate critical machines in protected subnets.
Also, there's a good chance that tight iptables rules and routing will prevent this.
Edit: Perhaps obviously, this focuses on using VPNs via WiFi APs. And it depends on the AP being malicious. That's a major use case, so this is a huge issue. See HN discussion at https://news.ycombinator.com/item?id=21712280