The paper
A recent study has concluded that virtual private network (VPN) services may not be as safe as they are widely considered. People use VPN services to make their connection more secure. However, the report called “A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients” points out that some VPNs suffer from a vulnerability known as IPv6 leakage. This means that someone may exploit the vulnerability to spy on users and acquire some of their information. The paper is made by researchers of Queen Mary University of London and Sapienza University of Rome
The Findings
The study was conducted last year and it included 14 popular commercial VPN providers from all over the world. The results were disparaging – only 3 out of the 14 did not leak any information. These are Mullvad, Private Internet Access, and VyprVPN. All of the others did not pass the test as they could not keep safe data such as the web pages that were being accessed by users or their communications even. As you can see, this is a serious security breech. The study also mentioned that there was a way for TorGuard to deal with this vulnerability, but that option was not enabled by default.
The Method
The attacks that the researches performed on these services included passive monitoring and DNS hijacking. The former meant that a hacker gained access to the VPN and collected all encrypted data that was being transferred. DNS hijacking on the other hand is where the hacker redirects users to malicious websites that mimic genuine web pages, such as Facebook or Google, for instance. This way they can obtain users’ credentials.
What is Safe
It has to be noted that websites running HTTPS encryption were not affected by this vulnerability.
Another thing that was subject to the study was mobile platforms. It was discovered that mobile devices on iOS were more secure when using VPN, while Android-based ones were still vulnerable.
Cause of Vulnerability
There a couple of factors that create these vulnerabilities for VPN users. One of them is that network providers use more and more IPv6, while VPN provide protection for IPv4 traffic exclusively. The other problem that they managed to find is that the VPN services themselves used outdated tunneling protocols. PPTP is one such protocol, which can be compromised by simple brute-force attacks.
Not all of the news is bad, however. The paper shows that enterprise VPNs are much more secure. This means that average users of VPN are largely unaffected by this vulnerability. If users seek anonymity, then the researchers have offered Tor and Tails as alternative options.
VPN Doesn’t Provide Anonymity
Lastly, the paper points out that the purpose of VPN was never providing privacy. Rather, it was created to provide users with a more secure connection when they are accessing some organization’s internal network infrastructure while using untrusted networks. So, you see, VPNs were never made to hide your identity online. Even those virtual private networks that are set up as best as they could can be broken into.