As governments strive to develop tools for monitoring and network monitoring, VPN, secure tools that provide a connection and partly anonymize the user, are growing. But researchers at the Sapienza University in Rome and at Queen Mary University in London published a study highlighting flaws in several commercial VPN for the general public.
The report prepared by the researchers is clear: all tested VPN services are vulnerable to any security flaws.
The researchers identified two vulnerabilities affecting most of these services: first, a named IPv6 vulnerability Leaks, which originates in the fact that most of these VPN not support IPv6 traffic and do not secure that traffic. A security vulnerability is even more striking that most OS tend to prioritize IPv6 whenever possible.
The other scenario detailed by researchers is that of a DNS attack: by intercepting DNS requests from the VPN user, an attacker can thus track the browsing history of his victim. The researchers exposed 14 VPN these two types of attacks, and no candidate has been entitled to no-fault: they are all, according to them, vulnerable to any of these attacks.
But the study strongly displeases VPN vendors used in the tests conducted by the researchers. So PureVPN was the first to unsheathe by publishing on his blog a denial, pointing the inaccuracy and dated some of the information in the study. The publisher says have “long since made their own DNS servers on their network,” which according to them correcting the security flaw noticed by researchers.
Same logic for IPv6leak, the company said it had also taken steps to correct this vulnerability and advises users to disable them even support IPv6 to avoid exposure. The VPN Tor guard, also mentioned in the study, also used the occasion to announce to have strengthened its security measures with regard to this flaw. An understandable measure, but that does not favor the already sluggish adoption of this new addressing protocol.
The detailed fault by the researchers is not very new, the study notes that the latter, although known for some time, is exploitable against most commercial VPN providers. The researchers note in their conclusions that companies using VPN services should be unaffected by this flaw, provided they are correctly configured.
The DNS takeover might be possible, but “would require on the part of the attacker a great knowledge of the network.” The study is concerned on the other hand the consequences of this type of fault on Individuals using these technologies in totalitarian regimes, and the false sense of security that they can create.