Popular VPNs leak data, don’t offer promised privacy and anonymity

Virtual Private Network (VPN) services can be used for circumventing Internet censorship and accessing blocked content, but researchers warn that you shouldn’t believe the companies’ claims that they offer privacy and anonymity.

A group of researchers from the Sapienza University (Rome) and Queen Mary University (London) have recently tested 14 of the most popular commercial VPN services: Hide My Ass, IPVanish, Astrill, ExpressVPN, StrongVPN, PureVPN, TorGuard, AirVPN, PrivateInternetAccess, VyprVPN, Tunnelbear, proXPN, Mullvad, and Hotspot Shield Elite.

They found that ten of them leak IP data, and all except one are vulnerable to IPv6 DNS hijacking attacks (click on the screenshot to enlarge it):



The researchers registered credentials with the services, explored their infrastructure, the tunnelling technology they use, and their client software.

They discovered that many of the services still rely on outdated tech that can be easily broken through brute-force attacks, that most of the VPNs clients suffer from data leakage in dual stack networks, that significant amounts of traffic are exposed to public detection, and that the small amount of IPv6 traffic leaking outside of the VPN tunnel has the potential to actually expose the whole user browsing history even on IPv4 only websites.

What’s more, they found that by mounting a DNS hijacking attack that exploits a key vulnerability in many VPN configurations can lead to a substantial amount of IPv4 traffic being leaked from the VPN tunnel.

The researchers have also offered possible countermeasures to prevent IPv6 leakage and DNS hijacking, but noted that for anonymity and privacy, users should turn to Tor, not VPNs.

They also pointed out that although enterprise VPNs might be exposed to these attacks, their impact is rather limited compared to commercial VPN services.

“Throughout this study we realised that another worrying aspect of today’s market of VPN services is the large misinformation end users are exposed to, which makes it hard for them to properly tell apart vague and bold claims typical of product advertisement campaigns with actual facts,” they noted.

“In order to improve the current situation it is of primary importance to better reach out to the general public through active information campaigns. We believe that a more privacy conscious customer base would force VPN service providers to take serious actions towards securing their services and clients against issues that have been known to the community for a long time. At the same time, users would be able to choose the combination of technologies that better suit their needs.”