A team of five researchers from London and Rome found that 14 from the world's leading Virtual Private Servers (VPN) has leaked IP data.
Οι Vasile C. Perta, Marco V. Barbera, και Alessandro Mei από το Πανεπιστήμιο Sapienza της Ρώμης, μαζί με τους Gareth Tyson, και Hamed Haddadi του Queen Mary University of London report that vendors' promises to protect their users' privacy are broken.
"Although a well-known issue, an experimental study reveals that most VPN services suffer from IPv6 traffic leaks," say study authors A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients [PDF].
"Our findings confirm the criticality of the current situation: in many of these [14] providers, there are total leaks, or a critical part of user traffic in mild environments.
"The reasons for these shortcomings are different, and if nothing else vague, or their nature has been little explored."
The team reviewed top companies such as: Hide My Ass, PrivateInternetAccess, and IPVanish.
They implemented dual stack OpenWrt IPv6 connections over IPv4 channels networkυ Wi-Fi με ενημερωμένες εκδόσεις Ubuntu, Windows, OSX, iOS 7 και Android.
So they created a simulated environment where users trust VPNs to protect them from a hostile network.
All but the Astrill provider was open to IPv6 DNS hijacking attacks and only four companies did not leak IPv6 data.
No company was resistant to both threats.
Researchers report:
"Our project initially started as a general investigation, but we soon discovered that there is a serious vulnerability in IPv6 traffic leaks that is pervasive in almost all VPN services. A further security check revealed two DNS hijacking attacks that allowed us to access all of the victim's movements and traffic. "
Researchers have discovered that the most common VPN tunnelling technologies are based on obsolete technologies such as PPTP with MS-CHAPv2, which could break with brute-force attacks.
The "vast majority" of commercial VPNs, according to the researchers, suffer from dual stack data leakage into IPv4 and IPv6 networks in such a way that they expose "significant amounts" of traffic contrary to the claims of the supplier.
"The most important thing we found is that the small amount of IPv6 traffic leaking out of the VPN channel has the potential to expose the entire user browsing history, even if it only surfs IPv4 web pages."
“… While all VPN clients use the IPv4 routing table, they tend to ignore the IPv6 routing table. Additionally there are no rules to redirect IPv6 traffic in the tunnel. This can cause all IPv6 traffic to bypass the VPN's virtual interface. Although this was not a serious issue a few years ago, the increasing amounts of traffic that now exist over IPv6 make it problem high criticality. "
