Proceedings on Privacy Enhancing Technologies 2015; 2015 (1):77–91 Vasile C. Perta*, Marco V. Barbera, Gareth Tyson, Hamed Haddadi1, and Alessandro Mei2 A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients Abstract: Commercial Virtual Private Network (VPN) ser- garding untrusted or malicious parties observing and/or ma- vices have become a popular and convenient technology for nipulating user communications. This has contributed to a users seeking privacy and anonymity. They have been applied rise in the popularity of tools promising end-users a pri- to a wide range of use cases, with commercial providers of- vate and/or anonymous online experience [5–9]. Among them, ten making bold claims regarding their ability to fulfil each VPN-based solutions are receiving an increasing amount of at- of these needs, e.g., censorship circumvention, anonymity and tention [8, 10, 11]. In fact, the market today is littered with a protection from monitoring and tracking. However, as of yet, number of low-cost commercial VPN services, claiming to be the claims made by these providers have not received a suf- able to enhance user security and privacy, or even to provide ficiently detailed scrutiny. This paper thus investigates the anonymity, by tunneling their Internet traffic in an encrypted claims of privacy and anonymity in commercial VPN services. form to an (ideally) trusted remote endpoint. We analyse 14 of the most popular ones, inspecting their inter- There are several use cases that may have contributed to nals and their infrastructures. Despite being a known issue, our this spike in popularity. For example, the use of public net- experimental study reveals that the majority of VPN services works has increased dramatically in-line with the expansion suffer from IPv6 traffic leakage. The work is extended by de- of the mobile device market. Such infrastructures are ripe veloping more sophisticated DNS hijacking attacks that allow for attack (e.g., stealing credentials, snooping, session hijack- all traffic to be transparently captured. We conclude discussing ing [12–14]), leading some users to securely direct their traf- a range of best practices and countermeasures that can address fic through a VPN tunnel as a solution for safeguarding their these vulnerabilities. interactions [15]. Other users may be attracted by VPN tun- nel encryption as a way to avoid unwanted attention, or sim- Keywords: VPN, IPV6, DNS hijacking ply to hide their actions from their ISP or other passive ob- DOI 10.1515/popets-2015-0006 servers. Others turn to VPN services for more pragmatic rea- Received 11/22/2014; revised 2/16/2015; accepted 2/17/2015. sons, wishing to circumvent Internet censorship by tunnel- ing through firewalls [16], or accessing content that is either blocked by their ISP or restricted based on a country’s IP ad- 1 Introduction dresses (e.g., BBC iPlayer, Hulu, Netflix). In response to the latter, many VPN services allow users to select their exit points Recent revelations regarding massive surveillance projects [1] so that they can gain IP addresses in a number of different and the restrictions that some governments impose on their countries or administrative domains. Finally VPN services are citizens [2–4] have increased the general public’s concern re- widely used by citizens facing government-supported large- scale Internet censorships events, as revealed by recent stud- ies [3,4]. All commercial VPN service providers support the above *Corresponding Author: Vasile C. Perta: Sapienza University of use cases to some extent, although their capability to preserve Rome, E-mail: [email protected] user privacy and anonymity has already raised some ques- Marco V. Barbera: Sapienza University of Rome, E-mail: bar- tions [17]. In fact, a common misconception is that the word [email protected] “private” in the VPN initialism is related to the end-user’s pri- Gareth Tyson: Queen Mary University of London, E-mail: [email protected] vacy, rather than to the interconnection of private networks. Hamed Haddadi1: Queen Mary University of London, E-mail: In reality, privacy and anonymity are features that are hard [email protected]. This work was done while the author was to obtain, requiring a careful mix of technologies and best at Qatar Computing Research Institute. practices that directly address a well-defined adversarial/threat 2 Alessandro Mei : Sapienza University of Rome, E-mail: model [5, 17]. In other words, there is no silver bullet within [email protected]. This work has been partially supported by a Google this domain. For instance, it is clear that simply tunneling traf- Faculty Research Grant 2013. fic through a VPN cannot provide the same anonymity guar- Brought to you by | Imperial College London Authenticated Download Date | 2/8/18 10:19 AM A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients 78 antees of more rigorous (and vetted) systems such as Tor [5]. 2 Commercial VPN services This does not come as a surprise, as VPNs were not originally intended to provide anonymity and/or privacy. We begin by surveying a number of commercial VPN services Still, the appeal that these services have for the general to understand their infrastructures and technologies. public is very high, perhaps because of their ease of use, their relatively high performance, their effective marketing strate- gies, and the bold statements the providers make, though in 2.1 Overview of Commercial VPN service absence of objective evidence in their support. The resulting blind faith that uninformed users may put into these services providers is thus a worrisome problem that has to be tackled effectively and rapidly. A large range of commercial VPN services exists today. We Within this context, we contribute by shedding light on therefore begin our study by performing an analysis of the the privacy and anonymity features of the popular commercial market, registering credentials with 14 services. This set has VPN services available today on the market. We use an ex- been selected due to their widespread popularity and adver- perimental approach, subscribing to 14 services, downloading tised features. All the experiments were carried out during the their recommended clients on both desktop and mobile sys- period September – December, 2014. Given the impossibility tems, and testing them in our lab. Our findings confirm the of objectively measuring it, popularity was approximated with criticality of the current situation: many of these providers leak the number of times each VPN service was mentioned in the all, or a critical part of the user traffic in mildly adversarial en- first 20 Google results corresponding to queries such as “Best vironments. The reasons for these failings are diverse, not least VPN” or “Anonymous VPN”. The idea was to identify the sub- the poorly defined, poorly explored nature of VPN usage, re- set of providers that the average user would be most likely to quirements and threat models. purchase, based on public reviews, forum mentions, and so on. This paper is organised as follows. We first survey the Our selection was further augmented with VPN services that, tunneling technologies most commonly used by VPN service although not among the most popular, advertised distinctive providers (§2), finding that many still rely on outdated tech- features that were relevant to our study. These include Mull- nologies such as PPTP (with MS-CHAPv2), that can be easily vad, which to the best of our knowledge is the only provider broken through brute-force attacks [18]. We then show that mentioning IPv6 leakage protection; Hotspot Shield, promis- the vast majority of commercial VPNs clients suffer from data ing WiFi security in untrusted hotspots; and TorGuard, which leakage in dual stack networks (i.e., those supporting both explicitly targets BitTorrent users. Table1 lists the providers IPv4 and IPv6), sending large amounts of traffic over the native selected. interface, unbeknown to the user (§3). By exploring various applications, websites and operating systems, we show that significant amounts of traffic are therefore exposed to public 2.2 VPN service infrastructure detection, while users retain the belief that all their interactions are securely occurring over the tunnel (§4). Most importantly, We next briefly explore the infrastructures used by commercial we find that the small amount of IPv6 traffic leaking outside of VPN services, as observed from our experiments. As Table1 the VPN tunnel has the potential to actually expose the whole shows, the number of available servers (exit points) can vary user browsing history even on IPv4 only websites. We further significantly across providers, ranging from several hundreds extend this analysis by delineating a DNS hijacking attack that of the top 4 down to less than 10 (a small number of servers exploits another key vulnerability in many VPN configurations could indicate the capability of dynamically adding more re- (§5). Through this attack, a substantial amount of IPv4 traffic sources, based on the service utilisation). Figure1 presents the can be leaked from the VPN tunnel too. distribution of exit points across countries, highlighting a sig- It is important to note that, worryingly, the insecurity of nificant bias towards the United States (US). This is probably PPTP (with MS-CHAPv2), as well as IPv6 and DNS leakage related to the amount of content that is only accessible from in VPNs are not new to the community [17–20]. Despite this, the US, e.g., Hulu, Showtime Anytime, HBO GO. Countries our study reveals that many commercial VPN services still fail with strict privacy laws (e.g., Netherlands) also seem attractive to properly secure user traffic. These low-cost solutions there- as VPN tunnel exit points, perhaps driven by users concerned fore raise many questions in terms of trust and reliability.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages15 Page
-
File Size-