A virtual private network can provide peace of mind by encrypting your activity on the internet and hiding your identity while you browse, which allows you to visit foreign websites and provides a more secure way to transmit private information.
But a new study has uncovered weaknesses that could allow your phone or computer to be tricked into leaking your online data input, known as “traffic,” before the traffic reaches the protected VPN tunnel.
In a paper presented at the USENIX Security Symposium on August 11, researchers from New York University, KU Leuven University in Belgium and NYU Abu Dhabi dubbed the VPN problem “TunnelCrack.”
And no matter what type of device you use, or what your VPN is, you could be at risk.
What Were the Findings?
“Our tests indicate that every VPN product is vulnerable on at least one device,” the researchers wrote. “We found that VPNs for iPhones, iPads, MacBooks, and macOS are extremely likely to be vulnerable, that a majority of VPNs on Windows and Linux are vulnerable, and that Android is the most secure with roughly one-quarter of VPN apps being vulnerable.”
The differences appear to have to do with the way the various operating systems are designed.
The testers confirmed their findings by running 248 experiments involving 67 VPN providers on Windows, macOS, iOS, Linux and Android.
Study co-author Mathy Vanhoef, a professor at KU Leuven, says researchers were able to run their tests without putting the public at risk. “We…used our own phones and own laptops, installed a lot of VPN apps you can find and then tested it,” he says, “and could basically attack ourselves in a lot of cases.”
How Does TunnelCrack Work?
Two types of vulnerabilities were discovered: LocalNet attacks and ServerIP attacks.
LocalNet attacks involve traffic sent to and from local networks; they can happen when a user connects to an untrusted Wi-Fi network. ServerIP attacks involve traffic being sent to and from the VPN server. This type of vulnerability can be exploited by untrusted Wi-Fi networks as well as by malicious internet service providers, the authors said in a summary.
TunnelCrack vulnerabilities would allow bad actors to intercept and misdirect traffic using VPNs’ ordinary data transfer rules. This would breach a VPN’s security and anonymity, the researchers said. Even if traffic is protected with another layer of encryption, such as HTTPS, such attacks can reveal which websites are being visited, which itself may be sensitive information.
According to the researchers, these vulnerabilities have been around since the creation of VPNs in 1996 but “went unnoticed, at least publicly, for more than two decades.”
How Can VPN Users Lessen the Risk?
The best way to protect yourself, says Vanhoef, is to update your VPN. He and his fellow researchers gave vendors 90 days’ advance notice before making their findings public so that the companies would have time to make security updates. Vanhoef says most did. In connection with the study, Cisco has posted on its website an advisory on how its corporate VPN clients can protect themselves against potential attacks.
Vanhoef says properly configured websites using HTTPS add an extra layer of security. Some browsers will warn you when HTTPS is not being used.
A “number of things have to go wrong for you in order to be compromised,” says Ken Colburn, founder and CEO of computer repair and services company Data Doctors. “What we don’t want is for people to think, ‘Gosh, now VPNs are vulnerable to attacks so we shouldn’t use them.’”
Even so, he says, it’s important to update your VPN. If possible, contact your provider to make sure the most recent update specifically patches the TunnelCrack vulnerabilities.
Colburn adds that it’s important to avoid rogue Wi-Fi networks. If a free Wi-Fi connection doesn’t first ask you to agree to its terms and conditions, it’s a red flag, he says. That feature doesn’t guarantee security, he says, but malicious operators generally will not add an agreement page “because they want to make it as easy as possible for people to connect.”
To ensure a secure connection, Colburn notes, you can bypass public Wi-Fi and use your cellphone as a hotspot instead.
More From Advisor
- Microsoft Project Review 2023: Features, Pros & Cons
- What Is A DNS Server?
- What Is A Cyber Attack? Definition, Types & Prevention
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.
