To use our apps and configurations, please sign up for an ExpressVPN account first.
You may be hearing reports of a new vulnerability, called TunnelVision, that can allow an attacker to bypass VPN protection under certain circumstances. The researchers reached out to us prior to the publication of the paper, and we’ve had time to do extensive testing on our own.
After a thorough evaluation, we can confirm that the technique described in the paper has minimal impact on ExpressVPN users, thanks to the robust design of our kill switch, Network Lock.
In short:
- Android is not affected at all
- Aircove is completely protected as it has Network Lock on by default and cannot be disabled
- Desktop apps are not affected if Network Lock is turned on
- iOS can be affected, due to limitations set by Apple. This is consistent with historical iPhone security limitations. As noted by the researchers, using 4G or 5G rather than Wi-Fi mitigates this issue.
We highly recommend that all ExpressVPN users enable the kill switch at all times. We’re also adding new reminders in our apps to encourage users to keep the kill switch toggled on.
If you are interested in more information, you can find it in our TunnelVision blog post. We also detail our investigation and how it relates to ExpressVPN’s apps on each platform we support below.
About our investigation
In their TunnelVision paper, the researchers assert that it is possible to induce a leak of VPN traffic when using something called DHCP Option 121 classless static routes, and that this affects all VPN providers and VPN protocols that support such routes.
To put this simply, it means that under certain conditions (and only when you connect to a network you don’t control, like hotel or airport Wi-Fi), an attacker with control of the Wi-Fi router could designate that any traffic bound for a particular destination be diverted outside the VPN.
It takes a specific sequence of conditions to be met for anyone to be affected by this issue, and ExpressVPN’s customers are among the best protected, in part because of the strength and structure of Network Lock.
When Network Lock is on, we found that leaks do not occur. Traffic bound for the destination designated by an attacker would result in “denial of service”—it would simply be blocked, resulting in a blank webpage or error message. Traffic that was headed to any other destination (in other words, anywhere not specified for diversion by the attacker) would pass through the VPN as normal. However, if a user has manually turned Network Lock off, then the traffic would indeed be allowed to pass via the diverted route, causing a leak.
As such, we highly recommend that all ExpressVPN users enable the kill switch at all times. We’re also adding new reminders in our apps to encourage users to keep the kill switch toggled on.
About our platforms
The potential of this technique depends on the operating system or device being used.
Starting with our desktop users: thanks to Network Lock, the ExpressVPN kill switch on Mac, Windows, Linux, and routers, the potential for exposure is limited. Whether you use Mac or Windows our investigations found that this technique could only pose a threat if our kill switch, Network Lock, had been manually disabled by a user. As Network Lock is enabled by default, users who have never modified their settings cannot be affected.
So if you, like many ExpressVPN users, simply open your app, hit the big On button, and occasionally change locations, then you have never been exposed to this issue. The way we designed our kill switch ensures that our desktop users are defended against this technique and other attacks that attempt to force traffic outside of the VPN.
On Aircove and Aircove Go routers, you cannot be vulnerable as the kill switch is always on and cannot be disabled. Mobile users: On Android, you cannot have been exposed, as this technique does not impact ExpressVPN’s Android app at all. This is because DHCP Option 121 is not supported on that platform. On iOS, due to limitations set by Apple, we cannot guarantee that. As noted by the researchers, using 4G or 5G rather than Wi-Fi mitigates this issue entirely.
How we built and designed Network Lock to protect users
As we’ve explained, Network Lock is the ExpressVPN kill switch on Mac, Windows, Linux, and routers. It keeps user data safe by blocking all internet traffic until protection is restored. A similar feature is available under the Network Protection settings of our iOS and Android apps. We offer these features because a reliable kill switch is an essential feature of a VPN, key to protecting users and ensuring their privacy. That’s why we also turn our kill switch on by default and have spent a lot of time investing in its reliability since we first rolled it out in 2015.
We also made a lot of careful engineering and design decisions to implement the feature. Our Network Lock feature prevents all types of traffic including IPv4, IPv6, and DNS from leaking outside of the VPN, such as when the user’s internet connection is disrupted, when switching between Wi-Fi networks, and other various scenarios where other VPNs might leak.
Our kill switch functionality on router firmware and all desktop platforms works by applying a “block everything” firewall rule followed by a rule that permits traffic exclusively through the VPN tunnel. These kill switch rules are first engaged when the VPN connects, and they remain active during reconnect cycles and unexpected disconnects. This is exactly what the researchers are referencing in the “Industry Impact” section of their report when they state that they “have observed a mitigation from some VPN providers that drops traffic to non-VPN interfaces via firewall rules.”
This setup safeguards against the TunnelVision exploit and similar threats. It blocks any traffic trying to bypass the VPN, including any routes that TunnelVision may have introduced.