VPNs Aren’t as Secure as You Think

14 of the most commercial VPN providers in the world leak IP data, according to claims from a team of five researchers from universities in Rome and London, according to a report in PCWorld.

The security and privacy of users are at risk, the researchers claim while adding that providers’ claims of proving complete security to users are false promises.

The researchers made the sensational claims in a paper titled: “A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients”, available to download here.

Researchers’ claims

“Despite being a known issue, our experimental study reveals that the majority of VPN services suffer from IPv6 traffic leakage,” wrote the researchers.

Some of the major VPN providers that were studied included:

  • Hide My Ass
  • IPVanish
  • Private Internet Access
  • PureVPN
  • TorGuard among others.

“Our findings confirm the criticality of the current situation: many of these [14] providers leak all, or a critical part of the user traffic in mildly adversarial environments.”

Among the revelations, researchers found that:

  • 11 of the 14 providers leaked information that included websites visited and the actual content transmitted during these interactions.
  • The three providers that didn’t were Private Internet Access, Mullvad and VyprVPN.
  • VPN provider TorGuard offered a means to circumvent the problem but it wasn’t enabled by default.
  • VPN applications on mobile platforms were also tested. iOS was generally more secure than Android which was susceptible to leakage.
  • Websites that were encrypted with HTTPS did not contribute to any leakage.

Reasons for the leak

The research team found that most of the current VPN tunneling infrastructure relied on outdated technologies. A routine brute-force attack could easily break into these technologies, according to the researchers.

Another factor was that most VPNs safeguard only IPv4 traffic alone, despite many network operators and service providers switching over to IPv6.

“The reasons for these failings are diverse, not least the poorly defined, poorly explored nature of VPN usage, requirements and threat models,” the team added.

Steve Manzuik, the Research Director at Duo Security, agreed with researchers in noting that enterprise VPN solutions are predominantly unaffected by the leakage concerns.

“For the average business user of VPN technology, there is no impact,” he said.

In offering advice for commercial users who depend on VPN solutions for privacy, Manzuik noted that they should “always be aware of what protocols their systems are transmitting on and consider a VPN service that also provides coverage for those or at the very least disable those that are unused.”

He also stressed on the fact that VPN technology was designed to offer a more secure means to connect to the internal network infrastructure of an organization while using insecure or untrusted networks. VPN providers aren’t according to popular belief, designed to offer privacy, he added.

“Even with a well-configured VPN in place, there are other methods to identify a user and violate their perceived privacy,” concluded Manzuik.