Researchers find majority of VPN service providers leaking surfing data of IPv 6 users; VPN provider respond to their allegations
Many people use VPN services to keep their personal information safe when using the internet. The VPNs not only keep their personal information safe but also keep their online excursions private. However a new report by researchers suggests that VPN provides are leaking the online surfing details of IPv 6 VPN users.
A study conducted by researchers at Queen Mary University of London has shown that many VPN networks leak information about their users. This information could be as broad in scope as the websites users were visiting, and as detailed as the actual content of messages they were sending to other parties.
The have published a paper titled A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients. (pdf) after investigating 14 popular services on the market today.
“Our findings confirm the criticality of the current situation: many of these providers leak all, or a critical part of the user traffic in mildly adversarial environments. The reasons for these failings are diverse, not least the poorly defined, poorly explored nature of VPN usage, requirements and threat models,” the researchers write.
The researchers stated that though the VPN providers send data through an encrypted tunnel, the problems arise during the second stage of the VPN client’s operation: traffic redirection.
“The problem stems from the fact that routing tables are a resource that is concurrently managed by the operating system, which is unaware of the security requirements of the VPN client,” the researchers have noted in their research.
This means that changes to the routing table (whether they are malicious or accidental) could result in traffic circumventing the VPN tunnel and being leaked to via interfaces. The research paper notes “The vulnerability is driven by the fact that, whereas all VPN clients manipulate the IPv4 routing table, they tend to ignore the IPv6 routing table. No rules are added to redirect IPv6 traffic into the tunnel. This can result in all IPv6 traffic bypassing the VPN’s virtual interface.”
TorrentFreak reached out to the VPN providers to record their comments on this grave issue which can put VPN users identity in jeopardy.
One of the VPN providers, PureVPN noted that “take the security of our customers very seriously and thus, a dedicated team has been assigned to look into the matter.” While another VPN, AirVPN stated that“At least for AirVPN the paper is outdated.” They added, “We think that the researchers, who kindly sent the paper to us many months in advance and were warned about that, had no time to fix [the paper] before publication. There is nothing to worry about for AirVPN. Current topology allows us to have the same IP address for VPN DNS server and VPN gateway, solving the vulnerability at its roots, months before the publication of the paper.”
TorGuard said that they knew about whitepaper and have been working to address the issues it raises. The company adds that while The Register’s “the sky is falling” coverage of yesterday is “deceptive”, the study does illustrate the need for providers to stay vigilant. It said it has also launched a new IPv6 leak prevention feature on Windows, Mac and Linux.
“Today we have released a new feature that will address this issue by giving users the option of capturing ALL IPv6 traffic and forcing it through the OpenVPN tunnel. During our testing this method proved highly effective in blocking potential IPv6 leaks, even in circumstances when these services were active or in use on the client’s machine,” the company stated
On the DNS hijacking issue, TorGuard provides the following detail,
“It is important to note that the potential for this exploit only exists (in theory) if you are connected to a compromised WiFi network in which the attacker has gained full control of the router. If that is the case, DNS hijacking is only the beginning of one’s worries. During our own testing of TorGuard’s OpenVPN app, we were unable to reproduce this when using private DNS servers because any DNS queries can only be accessed from within the tunnel itself.”
Another leading VPN provider, Private Internet Access said that,
“While the article purported to be an unbiased and intricate look into the security offered by consumer VPN services, it was greatly flawed since the inputs or observations made by the researchers were inaccurate. While a scientific theory or scientific test can be proven by a logical formula or algorithm, if the observed or collected data is incorrect, the conclusion will be in error as well.”
PIA panned the research paper on various fronts, including incorrect claims about its DNS resolver.
“Contrary to the report, we have our own private DNS daemon running on the Choopa network. Additionally, the DNS server that is reported, while it is a real DNS resolver, is not the actual DNS that your system will use when connected to the VPN. Your DNS requests are handled by a local DNS resolver running on the VPN gateway you are connected to. This can be easily verified through a site like ipleak.net. Additionally… we do not allow our DNS servers to report IPv6 (AAAA records) results. We’re very serious about security and privacy.”
PIA has also published a response in which it says that its Windows client is safe. However, the PIA has commended the researchers presenting a detailed analysis of the DNS hijacking method but criticised it for presenting the same wrongly.
“The DNS Hijacking that the author describes [..] is something that has recently been brought to light by these researchers and we commend them on their discovery. Proper reporting routines would have been great, however. Shamefully, this is improper security disclosure.”
The above disclosures by the researchers affect only IPv 6 clients so if you are using IPv 4, your privacy is safe. IPv 6 users may contact their service provide to patch the issues noted by the researchers.