Most internet anonymity software leaks users' details

June 29, 2015, Queen Mary, University of London
Credit: Wikipedia

Virtual Private Networks (VPNs) are legal and increasingly popular for individuals wanting to circumvent censorship, avoid mass surveillance or access geographically limited services like Netflix and BBC iPlayer. Used by around 20 per cent of European internet users they encrypt users' internet communications, making it more difficult for people to monitor their activities.

The study of fourteen popular VPN providers found that eleven of them leaked information about the user because of a vulnerability known as 'IPv6 leakage'. The leaked information ranged from the websites a user is accessing to the actual content of user communications, for example comments being posted on forums. Interactions with websites running HTTPS encryption, which includes financial transactions, were not leaked.

The leakage occurs because network operators are increasingly deploying a new version of the protocol used to run the Internet called IPv6. IPv6 replaces the previous IPv4, but many VPNs only protect user's IPv4 traffic. The researchers tested their ideas by choosing fourteen of the most famous VPN providers and connecting various devices to a WiFi access point which was designed to mimic the attacks hackers might use.

Researchers attempted two of the kinds of attacks that might be used to gather user data - 'passive monitoring', simply collecting the unencrypted information that passed through the ; and DNS hijacking, redirecting browsers to a controlled web server by pretending to be commonly visited websites like Google and Facebook.

The study also examined the security of various mobile platforms when using VPNs and found that they were much more secure when using Apple's iOS, but were still vulnerable to leakage when using Google's Android.

Dr Gareth Tyson, a lecturer from QMUL and co-author of the study, said:

"There are a variety of reasons why someone might want to hide their identity online and it's worrying that they might be vulnerable despite using a service that is specifically designed to protect them.

"We're most concerned for those people trying to protect their browsing from oppressive regimes. They could be emboldened by their supposed anonymity while actually revealing all their data and online activity and exposing themselves to possible repercussions."

Explore further: China blocks VPN services that skirt online censorship

More information: The paper 'A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients' by V. Perta, M. Barbera, G. Tyson, H. Haddadi, A. Mei will be presented at the Privacy Enhancing Technologies Symposium on Tuesday 30 June 2015. petsymposium.org/2015/

*20% of European internet users use VPNs according to a Global Web Index report from October 2014 www.globalwebindex.net/blog/vpn-infographic

Related Stories

China blocks VPN services that skirt online censorship

January 23, 2015

China is blocking VPN services that let users skirt online censorship of popular websites such as Google and Facebook amid a wider crackdown on online information, tech companies and specialists said Friday.

Internet transition to speedier IPv6 accelerating

March 27, 2014

The transition to the next-generation Internet protocol IPv6 is set to speed up this year as web addresses under the previous system IPv4 run out, a senior industry figure said at a meeting about the future of the web Thursday.

Next-generation Internet addresses tested

June 8, 2011

A worldwide test was under way on Wednesday of the next generation of Internet addresses designed to replace the dwindling pool of 4.3 billion unique identifiers in the original system.

Unlocking the geoblock with VPNs

October 2, 2014

In recent months there have been many reports of Australians covertly signing up for the US streaming service Netflix, using fake postcodes and software workarounds to fool its geo-blocking system.

Recommended for you

HSBC, ING banks announce blockchain first

May 14, 2018

Banking giants HSBC and ING on Monday said they had carried out a landmark blockchain transaction aimed at speeding up payment processes and making them more secure.

5 comments

Adjust slider to filter visible comments by rank

Display comments: newest first

Bloodyorphan
not rated yet Jun 29, 2015
I wonder how they can map a IPv6 address back to an actual user, their browsing behavior may be leaked, but anonymity should still be preserved unless the VPN is broadcasting the client IPv4 details or is compromised.
(You could switch off ipV6 on the client if you are paranoid surely ?, most ISP's don't support native ipV6 routing at this point anyway)
TehDog
5 / 5 (1) Jun 29, 2015
"The researchers tested their ideas by choosing fourteen of the most famous VPN providers and connecting various devices to a WiFi access point which was designed to mimic the attacks hackers might use."

Sounds like a typical MITM (man in the middle) system so far.

"Researchers attempted two of the kinds of attacks that might be used to gather user data - 'passive monitoring', simply collecting the unencrypted information that passed through the access point; and DNS hijacking, redirecting browsers to a controlled web server by pretending to be commonly visited websites like Google and Facebook."

Yep, MITM
TehDog
5 / 5 (1) Jun 29, 2015
"The study also examined the security of various mobile platforms when using VPNs and found that they were much more secure when using Apple's iOS, but were still vulnerable to leakage when using Google's Android."

Info on which versions of each OS are more or most vulnerable would have been appreciated.

"We're most concerned for those people trying to protect their browsing from oppressive regimes. They could be emboldened by their supposed anonymity while actually revealing all their data and online activity and exposing themselves to possible repercussions."

Anyone relying on a public wifi network, even with a VPN, to be secure, is naive in the extreme.
Link to paper, not had time to read it yet, not expecting any great suprises :]

http://www.eecs.q...5VPN.pdf
TehDog
5 / 5 (1) Jun 30, 2015
@Bloodyorphan
I'd suggest checking this, more details there;
http://www.thereg...y_tests/
Also the comments are mostly by folks who know their stuff, so worth a read.
Still not had a chance to do more than glance at the paper, but from the Reg article, looks like a combination of outdated protocols, and poor ipv4->ipv6 handling.
Bloodyorphan
5 / 5 (1) Jun 30, 2015
Thanks TehDog, confirms what I was saying, don't use the IP6 stack on your clients full stop.

I've been tinkering with the Microsoft implementation of IPv6 recently, and it's got a lot of problems, the only reason I'm investigating is the MS updates keep forcing machines on the network to start using ip6 and they collapse because the slaac addresses are not LAN contactable and all the DNS queries start failing.

So I set up a server DHCP for IP6 to try and alleviate the problem, It did work but I had to reboot the clients 2 or 3 times. Then set the IP6 address manually, but don't let it reboot when it asks.

like you said, if you are in a country that has censorship, then don't use the Internet to try and circumvent it, there is no safe way to hide your traffic, you have to assume your internet provider is compromised.

This PDF gives a very scary breakdown of how vulnerable these OpenVPN technologies really are http://www.eecs.q...5VPN.pdf

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.