TunnelCrack is the combination of two independent security vulnerabilities (LocalNet attack and ServerIP attack) that affect VPN applications. The research paper detailing these vulnerabilities was published and presented on 11 August 2023. IVPN apps were not tested by the researchers, and unlike other providers, we did not receive a vulnerability disclosure.

We have completed the assessment and investigation of the current IVPN applications on each platform we support. Below you can review the results of this process.

In summary:

• iOS IVPN app was vulnerable to LocalNet attack, as LAN traffic was going outside the VPN tunnel by default when the VPN connection was active. This was identified as a consistent issue across all VPN providers assessed during the research.
• Desktop and Android IVPN apps were potentially vulnerable to LocalNet attack, when local network traffic bypassing was enabled in the app (disabled by default).
• Android app was potentially vulnerable to ServerIP attack, in an event of backend failure when OpenVPN protocol was used. The detailed assessment in the blog post covers the IVPN application versions in production at the time TunnelCrack details were released (Windows v3.11.15, macOS and Linux v3.11.14, iOS v.2.10.0, Android v.2.10.0). As highlighted after each section, all potential vulnerabilities were patched and released with the latest IVPN app versions released since then.

Full details: https://www.ivpn.net/blog/ivpn-tunnelcrack-vulnerability-assessment/