Your real IP address may be exposed due to the vulnerability in a number of VPN providers
Recently, VPN provider Perfect Privacy announced that it has discovered a massive security hole in a number of VPN providers that allow an attacker to expose the real IP address of a victim, thus rendering it useless.
Dubbed as “Port Fail”, the vulnerability affects VPN providers that offer port forwarding and have no protection against this specific attack. Two weeks have passed and most affected providers still haven’t fixed the problem.
Communicating with Engadget via email, Perfect Privacy told, “We have not tested this again after the fact so we can make no definite statement on the current number of affected VPN providers.” This means that the majority of VPN users may as well not be using one, which is bad news for people who just want to safely use public wi-fi or whose safety and security depend on keeping their IP address private.
Perfect Privacy recommends “anyone using a VPN service to ask their support desk whether this issue has been fixed.”
The user’s Internet connection travels encoded from computer to VPN server with a VPN (Virtual Private Network). The user’s connection then travels unencrypted to their final destination (a website). This way, websites cannot see the user’s VPN and only see the VPN’s IP address.
The security company said that they have tested this vulnerability with nine prominent VPN providers that offer port forwarding.
“Five of those were vulnerable to the attack and have been notified in advance so they could fix this issue before publication,” Perfect Privacy said.
“However, other VPN providers may be vulnerable to this attack as we could not possibly test all existing VPN providers.”
When the security company released the news on November 26, only Ovpn.to and nVPN changed the settings necessary to block Port Fail attacks.
Initially, popular service Private Internet Access (PIA) told press it had fixed the matter, but then backtracked its statement of a fix. Currently, PIA has 3093 servers in 35 locations across 24 countries. Along with TorGuard, Lifehacker lists PIA as number one in its “Five Best VPN Service providers,” which also allows port forwarding but is not susceptible to the attack.
Published on Perfect Privacy’s blog along with the November disclosure, the fixes are distressingly simple. The company said via email, “The easiest fix for affected VPN providers is to add firewall rules when a client connects that blocks access from client real IP to port forwardings that are not his own.” They explained, “The other option is to assign different entry and exit IPs.”
Perfect Privacy’s blog post said its customers are not affected by Port Fail.
The victim has no way of knowing they have lost their anonymity when targeted by the “Port Fail” attack.
For Port Fail to work, the victim does not need to use port forwarding. The attacker uses the same VPN provider as the target and simply sets up port forwarding.
By getting the victim to click a link, the attacker can get the real IP addresses of any user on the same VPN service. It then redirects the victim to a port under the attacker’s control.
By getting your real IP address with Port Fail, the attackers can identify your internet service provider (ISP, such as Comcast or Sonic.net). While your ISP knows exactly who you are, they are usually unwilling and hesitant to share that information. Also, if they get a court order to do so, they are required to disclose your identity and personal information.
Your IP address discloses where you are located on a map, usually down to the neighborhood, so the Port Fail attacker will know that, too. Port Fail also allows attackers to see which websites you visit, and how often.
As the Port Fail apparently uncloaks torrent users quite easily, it would be a gem in the private spying stashes of the RIAA or MPAA.
It may already be in the NSA’s depository. Legal standing for cyberspying on people outside the US has already been put into place by the US government, and possible they are willing to go on someone who is just being interpreted as coming from outside the US like when someone uses a foreign VPN.
The Justice Department put forward a new kind of warrant for domestic VPN spying last February, for “remote access” to devices and desktops when their locations are hidden “through technological means.”
While there are hundreds of VPN services throughout the world, users should check if the service they use offers port forwarding and ask whether Port Fail has been fixed.