Researchers at the University of London and the University of Rome felt VPN service providers' claims about advantages of using their services, such as online anonymity, censorship avoidance, and protection from tracking/monitoring, have not received enough scrutiny. So, the academics downloaded the clients for desktop and mobile devices of 14 of the most popular commercial VPN services. The team published their findings in the paper A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients (PDF).
"A common misconception is that the word 'private' in the VPN initialism is related to the end-user's privacy, rather than to the interconnection of private networks," says the authors in the paper's introduction. "In reality, privacy and anonymity are features hard to get, requiring a careful mix of technologies and best practices that directly address a well-defined adversarial/threat model."
Here's what the research team discovered:
- Many of the services use outdated technologies such as PPTP (with MS-CHAPv2), which can be broken using brute-force attacks.
- Most of the commercial VPN clients allowed data leakage in dual-stack networks (i.e., those supporting IPv4 and IPv6).
- Using various applications, websites, and operating systems, the researchers determined that traffic was exposed to public detection.
- With IPv6 traffic leaking outside the VPN tunnel, it could expose the user's browsing history even on IPv4-only websites.
IPv6 leakage seemed to concern the researchers the most. "The vulnerability is driven by the fact that, whereas all VPN clients manipulate the IPv4 routing table, they tend to ignore the IPv6 routing table," explains the researchers. "No rules are added to redirect IPv6 traffic into the tunnel. This can result in all IPv6 traffic bypassing the VPN's virtual interface."
Figure A provides information about each of the 14 services and how they fared regarding IPv6 leakage.
Responsible disclosure and responses
I checked a few of the VPN service providers' websites, and I learned the research team did their due diligence by informing the providers of their findings months before publishing the paper. Several of the providers responded.
An AirVPN staff member wrote: "The paper is outdated because their tests were performed on VPN servers with a /30 topology we kept to maintain compatibility with Windows OpenVPN 2.0.9 and older versions. After the draft paper preview they kindly provided us with months ago, we decided to speed up Windows OpenVPN 2.0.9 support drop, which made sense in 2010 but not now."
The same staff member then theorizes, "Unfortunately they could not manage to fix the paper, purely for problems of time we suppose, which remains outdated."
TorGuard, another service provider, offered a response to the research paper in this blog post. "Recently, security researchers from the Sapienza University of Rome and Queen Mary University of London have released a white paper detailing the possible security risks of leaking personally identifying information via IPv6 when using Virtual Private Networks," writes TorGuard Admin. "While this vulnerability has been known for years, the researchers found that many of the today's 'top' VPN providers (TorGuard excluded [their emphasis]) leak IPv6 requests in plain sight."
The post then discusses how an IPv6 leak occurs and measures to prevent any private IPv6 requests from leaking.
The researchers started a discussion, and now people who want to use this type of service are better prepared to ask the right questions.
Note: Since IPv4 is still around, one solution might be to disable IPv6 while using a commercial VPN service. Here's how for Windows operating systems.
Information is my field...Writing is my passion...Coupling the two is my mission.