Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK Researchers Find IPv6-Related Data Leaks In 11 of 14 VPN Providers

Posted by timothy on from the not-working-as-intended dept.

jan_jes writes: According to researchers at Queen Mary University of London, services used by hundreds of thousands of people in the UK to protect their identity on the web are vulnerable to leaks. The study of 14 popular VPN providers found that 11 of them leaked information about the user because of a vulnerability known as 'IPv6 leakage'. The leakage occurs because network operators are increasingly deploying a new version of the protocol used to run the Internet called IPv6. The study also examined the security of various mobile platforms when using VPNs and found that they were much more secure when using Apple's iOS, but were still vulnerable to leakage when using Google's Android. Similarly Russian researchers have exposed the breakthrough U.S. spying program few months back. The VPNs they tested certainly aren't confined to the UK; thanks to an anonymous submitter, here's the list of services tested: Hide My Ass, IPVanish, Astrill, ExpressVPN, StrongVPN, PureVPN, TorGuard, AirVPN, PrivateInternetAccess, VyprVPN, Tunnelbear, proXPN, Mullvad, and Hotspot Shield Elite.

3 of 65 comments (clear)

  1. Facepalm by jones_supa · · Score: 3, Informative

    The study of 14 popular VPN providers found that 11 of them leaked information about the user because of a vulnerability known as 'IPv6 leakage'. The leakage occurs because network operators are increasingly deploying a new version of the protocol used to run the Internet called IPv6.

    Aaarggghh!!! The summary does not explain the issue properly at all.

    All that happens here is that the user's IPv4 traffic is tunneled through the VPN, but his IPv6 traffic is broadcasted past the VPN.

    I'm sure this problem can be avoided with some reconfiguration. The easiest solution would be to simply chuck off the IPv6 subsystem in the operating system.

  2. TFA: by Kiyyik · · Score: 5, Informative

    http://www.eecs.qmul.ac.uk/~ha...

    (Since there doesn't seem to be a link).

    Basically, the table on page 3 is probably where you want to start looking. TorGuard, PrivateInternetAccess, VyperVPN & Mullvad are proof against IPv6 leakage, so it's actually 10 of 14 that aren't.

    Also, they found Astrill is proof against OpenVPN and PPTP/L2TP DNS hijacking. Interesting read.

  3. Re:"IPv6 Leakage"??? Give me a break. by Geordish · · Score: 5, Informative

    Exactly this.

    The problem occurs when you have an IPv4 VPN tunnel, and IPv6 native connectivity. The IPv6 connectivity will be preferred over the IPv4 tunnel, and you will connect natively.

    The fix? There are two

    1) Add IPv6 support to the VPN, and default route traffic over that.
    2) Drop the IPv6 connection while connected to the VPN.

    The first solution is obviously best.