igor - Fotolia

Most VPNs leak user details, study shows

Researchers have found nearly 80% of popular VPN providers leak information about the user because of a vulnerability known as IPv6 leakage

Most virtual private network (VPN) services used by hundreds of thousands of people to protect their identity online are vulnerable to leaks, a study has revealed.

VPNs are used by around 20% of European internet users to encrypt communications to circumvent censorship, avoid mass surveillance and access geographically limited services, such as BBC iPlayer.

But a study of 14 popular VPN providers found that eleven of them leaked information about the user because of a vulnerability known as IPv6 leakage, according to researchers at Queen Mary University of London (QMUL).

The leaked information ranged from the websites a user is accessing to the actual content of user communications, such as comments posted on forums. However, interactions with websites running HTTPS encryption, which includes financial transactions, were not subject to leaks.

The leakage occurs because network operators are increasingly deploying a new version of the protocol used to run the internet called IPv6, which is set to replace IPv4, but many VPNs currently only protect user’s IPv4 traffic.

For the study, the researchers connected various devices to a Wi-Fi access point, which was designed to mimic the attacks hackers might use.

Researchers attempted two of the kinds of attacks that might be used to gather user data. One was passive monitoring, which simply collects unencrypted information that has passed through the access point. The other was DNS hijacking, which redirects browsers to a controlled web server by pretending to be commonly visited websites, such as Google and Facebook.

The study also examined the security of various mobile platforms when using VPNs and found they were much more secure when using Apple’s iOS, but were still vulnerable to leakage when using Google’s Android.

Read more about IPv6 security

  • IPv6 could be a ticking security time bomb in Belgium if businesses fail to respond to the fact that adoption is gaining momentum fast.
  • Security expert Fernando Gont explains how to probe whether your IPv6 address components are vulnerable to attack.
  • IPv6 extension headers can inadvertently subvert security controls or foster denial-of-service conditions.

“There are a variety of reasons why someone might want to hide their identity online. It is worrying they might be vulnerable despite using a service specifically designed to protect them,” said Gareth Tyson, a lecturer from QMUL and co-author of the study.

“We are most concerned for those people trying to protect their browsing from oppressive regimes. They could be emboldened by their supposed anonymity, while actually they're revealing all their data and online activity and exposing themselves to possible repercussions,” he said.

The paper A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients will be presented at the Privacy Enhancing Technologies Symposium in Philadelphia on 30 June 2015.

In August 2011, Computer Weekly quoted James Lyne, currently the research chief at security firm Sophos, as saying criminals were already capitalising on the fact that few people are filtering IPv6 traffic or even know how to.

In the transition period, Lyne advised businesses turn off IPv6 until they are thoroughly prepared for the security implications of the new protocol and have updated all security filters and controls in their networks. Only switch IPv6 on, he said, once the controls are in place.

There is no instant switch to the new protocol, said Lyne, so partial adoption means using tunnelling technologies to transport IPv6 over IPv4, and this kind of workaround is another potential source of confusion, misconfiguration and security gaps.

It is important businesses understand if their web security solution can rate and analyse IPv6 content, he said, because without that ability, users will be vulnerable to attacks.

Read more on Privacy and data protection