If you are into secure browsing, online anonymity, and access geographically restricted services, you most probably will be using a Virtual Private Network (VPN) service that provides you with a ton of features including security, encryption, anonymity among other things. However a new study by researchers at Queen Mary University of London has found that almost all major VPN providers are not providing the security they promise as they leak user information at a varying degree.
Researchers have found that eleven out of the fourteen major VPN services are vulnerable to ‘IPv6 leakage’. Researchers found that the information leak could be as less as just a website name visited by a user to as much as actual user communications. However, researchers found that if the website visited by a user was over HTTPs, no information was leaked and this included financial transactions.
According to experts at the university, the leakage of information occurs because network operators are increasingly deploying a new version of the protocol used to run the Internet called IPv6. IPv6 replaces the previous IPv4, but many VPNs only protect user’s IPv4 traffic.
The researchers tested their ideas by choosing fourteen of the most famous VPN providers and connecting various devices to a Wi-Fi access point which was designed to mimic the attacks hackers might use.
Researchers attempted two of the kinds of attacks that might be used to gather user data – ‘passive monitoring’, simply collecting the unencrypted information that passed through the access point; and DNS hijacking, redirecting browsers to a controlled web server by pretending to be commonly visited websites like Google and Facebook.
The study also examined the security of various mobile platforms when using VPNs and found that they were much more secure when using Apple’s iOS, but were still vulnerable to leakage when using Google’s Android.
Dr Gareth Tyson, a lecturer from QMUL and co-author of the study, said: “There are a variety of reasons why someone might want to hide their identity online and it’s worrying that they might be vulnerable despite using a service that is specifically designed to protect them.
“We’re most concerned for those people trying to protect their browsing from oppressive regimes. They could be emboldened by their supposed anonymity while actually revealing all their data and online activity and exposing themselves to possible repercussions.”
The services tested by researchers include: Hide My Ass, IPVanish, Astrill, ExpressVPN, StrongVPN, PureVPN, TorGuard, AirVPN, PrivateInternetAccess, VyperVPN, TunnelBear, proXPN, Mullvad, Hotspot Shield Elite. Though only eleven were vulnerable to ‘IPv6-Leak’, all but one were vulnerable to DNS hijacking.
