A team of five researchers from the Universities of London and Rome found that 14 of the leading commercial Virtual Private Servers (VPN) in the world, have IP data leaks.
Vasile C. Perta, Marco V. Barbera, and Alessandro Mei of Rome's Sapienza University, along with Gareth Tyson, and Hamed Haddadi of Queen Mary University of London report that vendors promise to protect the privacy of their users not applicable.
"Although a well-known issue, an experimental study reveals that most VPN services suffer from IPv6 traffic leaks," say study authors A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients [PDF].
"Our findings confirm the criticality of the current situation: in many of these [14] providers, there are total leaks, or a critical part of user traffic in mild environments.
"The reasons for these shortcomings are different, and if nothing else vague, or their nature has been little explored."
The team reviewed top companies such as: Hide My Ass, PrivateInternetAccess, and IPVanish.
They implemented dual stack OpenWrt IPv6 connections over IPv4 channels networky Wi-Fi with updated versions of Ubuntu, Windows, OSX, iOS 7 and Android.
So they created a simulated environment where users trust VPNs to protect them from a hostile network.
All but the Astrill provider was open to IPv6 DNS hijacking attacks and only four companies did not leak IPv6 data.
No company was resistant to both threats.
Researchers report:
"Our project initially started as a general project research, but we soon discovered that there is a serious vulnerability, IPv6 traffic leakage, that is pervasive in almost all VPN services. A further security check revealed two DNS hijacking attacks that allowed us to gain access to all of the victim's movements and traffic.”
Researchers have discovered that the most common VPN tunnelling technologies are based on obsolete technologies such as PPTP with MS-CHAPv2, which could break with brute-force attacks.
The "vast majority" of commercial VPNs, according to the researchers, suffer from dual stack data leakage into IPv4 and IPv6 networks in such a way that they expose "significant amounts" of traffic contrary to the claims of the supplier.
"The most important thing we found is that the small amount of IPv6 traffic leaking out of the VPN channel has the potential to expose the entire user browsing history, even if it only surfs IPv4 web pages."
“… While all VPN clients use the IPv4 routing table, they tend to ignore the IPv6 routing table. Additionally there are no rules to redirect IPv6 traffic in the tunnel. This can cause all IPv6 traffic to bypass the virtual interface του VPN. Παρά το γεγονός ότι δεν ήταν σοβαρό ζήτημα πριν από μερικά χρόνια, οι αυξανόμενες ποσότητες της κυκλοφορίας που υπάρχουν πλέον ατο IPv6, καθιστούν το problem high criticality. "
