VPNs not as secure as users think
Some private network services may be leaking sensitive data, report finds
PUBLISHED : Friday, 03 July, 2015, 1:08am
UPDATED : Friday, 03 July, 2015, 1:08am
James Griffiths [email protected]
The VPNs in question include popular services Hide My Ass, IPVanish and Astrill. None of the three responded to requests for comment. Photo: Dickson Lee
Fourteen of the world's most popular virtual private network (VPN) services may be leaking sensitive customer data, a new report has revealed.
According to researchers from the Queen Mary University of London and the University of Rome, VPN users may not be as safe from snooping as they think.
"Users who believe themselves to be anonymous and secure will be in fact fully exposing their data and online activity footprint," the researchers said.
The VPNs in question include popular services Hide My Ass, IPVanish and Astrill. None of the three responded to requests for comment.
The main vulnerability was identified as "IPv6 traffic leakage". IPv6 is the latest version of the communications protocol that provides an identification and location system for routing traffic across the web.
VPN services operate by tunnelling traffic through a protective protocol such as OpenVPN, L2TP or PPTP. All data should therefore pass through the VPN in an encrypted form.
However, almost all VPN services examined by the researchers did not tunnel IPv6 traffic effectively, if at all.
"Although not a serious problem some years ago, increasing amounts of traffic is now IPv6, bringing the problem to criticality," the report said.
According to Google, around 7 per cent of global internet traffic is IPv6. In the United States, it exceeds 20 per cent.
Another potential vulnerability identified in the paper was "DNS hijacking", which works by redirecting queries about domain name systems to a server controlled by the attacker.
DNS servers translate domain names (such as SCMP.com into the corresponding IP address. This allows the user's machine to talk to the server hosting the desired website, and display it on their browser.
"Despite the criticality of the DNS resolution process, we found that most VPN services do not take significant steps to secure it," the researchers said.
Astrill was the only VPN provider examined by the researchers which provided some protection against DNS hijacking.
The report also criticised VPN service providers for exposing users to "misinformation" about their products.
VPNs are popular for making traffic anonymous and bypassing regional blocks on services such as BBC iPlayer or Hulu, the American ad-supported streaming service.
However, as the paper found, their effectiveness in the former role is questionable.
In China, VPNs are used by many people seeking to bypass internet restrictions put in place by the so-called Great Firewall. Twitter, Facebook, YouTube and Instagram are all blocked on the mainland due to the Communist Party's concerns about people mobilising online.
Beijing recently cracked down on VPN usage on the mainland, much to the dismay of its tech savvy citizens, who increasingly rely on them.
