VPN users, beware: You may not be as safe as you think you are

Thanks to IPv6 leakage, your data could be out there for anyone to see

Security

Security

It's become common practice to use virtual private networks for extra privacy and security in this era of mass surveillance, but a study published this week suggests such networks may not be as safe as they're commonly made out to be.

In fact, because of a vulnerability known as IPv6 leakage, many of them can expose user information to prying eyes, according to a paper from researchers at Sapienza University of Rome and Queen Mary University of London.

Entitled "A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients," the report describes a study conducted late last year that examined 14 popular commercial VPN providers around the world.

Specifically, the researchers tested the VPNs by attempting two kinds of attacks: passive monitoring, whereby a hacker might simply collect the user's unencrypted information, and DNS hijacking, where the hacker would redirect the user's browser to a controlled Web server by pretending to be a popular site like Google or Facebook.

What they found was unnerving: 11 of the 14 providers leaked information, including the websites the user was accessing and the actual content of the user's communications. The only three that didn't were Private Internet Access, Mullvad and VyprVPN. TorGuard offered a way around the problem, they noted, but it wasn't enabled by default.

The study also examined the security of various mobile platforms when using VPNs and found that they were much more secure when using iOS but were still vulnerable to leakage using Android.

Interactions with websites running HTTPS encryption were not leaked, the researchers noted.

So what's to blame for the leakage? One factor is that while network operators are increasingly deploying IPv6, many VPNs still protect only IPv4 traffic, the researchers concluded.

Another problem they found, however, is that many VPN service providers still rely on outdated tunneling protocols such as PPTP that can be easily broken through brute-force attacks.

The authors point to Tor along with Linux distributions such as Tails as potential alternatives for those seeking anonymity. Enterprise VPNs, meanwhile, are largely unaffected by the leakage problems, they said.

"For the average business user of VPN technology, there is no impact," said Steve Manzuik, director of research at Duo Security.

Users who rely on VPN services for privacy, however, should "always be aware of what protocols their systems are transmitting on and consider a VPN service that also provides coverage for those or at the very least disable those that are unused," Manzuik advised.

It's also worth noting that VPN technology was not designed to offer privacy so much as to offer a more secure way to connect to an organization's internal network infrastructure via untrusted networks, he pointed out.

"Even with a well-configured VPN in place," Manzuik said, "there are other methods to identify a user and violate their perceived privacy."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags mobile securityNetworkingvpnSapienza University of RomeQueen Mary University of London

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Katherine Noyes

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?