Page 22 - index
P. 22
DNS hijacking & IPv6 leakage: Is commercial VPN dead?
Yes, at least 14 VPN providers are; according to a study conducted by five security researchers
from Queen Mary University of London (QMUL) and Sapienza University of Rome.
The research showed that 14 tested commercial VPN providers are open to DNS hijacking and
thus may leak user data.
“Despite the criticality of the DNS resolution process, we found that most VPN services do not
take significant steps to secure it,” the authors mentioned in their paper A Glance Through the
Looking Glass VPN: IPv6 and DNS hijacking Leakage in Commercial VPN clients (PDF).
The researchers looked at the behavior of the 14 software clients on a Wi-Fi access point. They
generated an IPv6 through IPv4 tunnel (Campus Dual Stack OpenWRT) and tested two DNS
hijacking attacks that granted access to all traffic on the subject monitored.
All experiments were carried out under current Ubuntu, Windows, OSX, iOS 7 and Android
platforms, the most common fields of operation for VPNs.
Only 4 out of 14 were found able to protect their users against data loss through IPv6 traffic
leakage: “Whereas our work initially started as a general exploration, we soon discovered that a
serious vulnerability, IPv6 traffic leakage, is pervasive across nearly all VPN services. In many
cases, we measured the entirety of a client’s IPv6 traffic being leaked over the native interface.
A further security screening revealed two DNS hijacking attacks that allow us to gain access to
all of a victim’s traffic.”
Why did the tested VPN providers fail?
The Internet Protocol version 4 (IPv4) is bound to reach its limits soon, which is why version 6
(IPv6) was created, primarily to overcome the issue of finite numbers of currently available
Internet addresses.
The technical benefits of the IPv6 protocol are multiple, starting from hierarchical address
allocation methods, simplified multicast addressing, device mobility, security and configuration
aspects.
Unfortunately, since IPv6 isn’t globally available yet and most Internet connections are through
IPv4, it seems that many VPN providers neglect the integration of IPv6 into their products,
ignoring the fact that if an Internet connection is equipped with both IPv4 and IPv6, personal
data might leak unprotected on the IPv6 interface parallel to the protected IPv4 tunnel.
22 Cyber Warnings E-Magazine – August 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
