Researchers from London's Queen Mary College found that 11 out of 14 popular VPN providers had a vulnerability in the way that they dealt with the emerging internet technology. The team found that many VPN providers only protect IPv4 traffic and not the newer protocol.
VPN technology is used extensively by individuals who want to keep browsing data secure – either because they wish to access services outside their geographic region (Netflix for example) or because they want to keep their data hidden.
According to Dr Gareth Tyson, the flaw was discovered accidentally when one of his researchers noticed that while a VPN service should have placed him in the US, he was still registered as being in Britain. “The service wasn't doing what it should have been doing,” he said. That prompted an investigation and his team discovered the IPv6 leakage vulnerability.
He said that it was possible to avoid the problem – as some providers (TorGuard, PrivateInternetAccess, VyprVPN and Muilvad, for example) were doing. “There were disabling IPV6, if you were connected to the service by using IPv6 they would disable it.” Tyson said all providers could have this as an option but many choose not to. “There are three types of providers: those who are always vulnerable, those who are never vulnerable - because they switch IPv6 off – and those don't make IPv6.
Tyson said that his researches had not identified any attacks in the wild but he said there were certainly some plausible scenarios. “There are two forms of attack - a passive one, which would involve using the IPv6 leak to collect data on users or a more active attack, for example, by creating a wi-fi hotspot and advertise it as The Cloud. If users want to use VPN, they'll think they're protected – but they won't be.”
The Queen Mary team also looked at mobile access and found that there were vulnerabilities in Android phones although, Tyson said, these have now been fixed. Apple had never been at risk of IPv6 leakage.
Tyson said the survey had been carried out last summer and the service providers had been informed of the vulnerability last year.
The co-founder of one of them, TunnelBear, said the company had already addressed many of the concerns, since they were alerted to the problem. “On our Windows client, IPv6 has been blocked since March while the OS X client will be blocked shortly,” said Ryan Dochuk. “Additionally, within the next couple weeks, IPv6 traffic will be temporarily dropped server side as an additional measure to mitigate any leakage.”
But, he said, the company was well prepared for the emerging use of IPv6. “We've been working on this for a while and are already well on our way to fully supporting IPv6 across our network,” added Dochuk.
Tyson agreed the companies had been acting on the revelations. “Many say they are working on a fix,” he said although we've not heard anything official from them, he added.