Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK Researchers Find IPv6-Related Data Leaks In 11 of 14 VPN Providers

Posted by timothy on from the not-working-as-intended dept.

jan_jes writes: According to researchers at Queen Mary University of London, services used by hundreds of thousands of people in the UK to protect their identity on the web are vulnerable to leaks. The study of 14 popular VPN providers found that 11 of them leaked information about the user because of a vulnerability known as 'IPv6 leakage'. The leakage occurs because network operators are increasingly deploying a new version of the protocol used to run the Internet called IPv6. The study also examined the security of various mobile platforms when using VPNs and found that they were much more secure when using Apple's iOS, but were still vulnerable to leakage when using Google's Android. Similarly Russian researchers have exposed the breakthrough U.S. spying program few months back. The VPNs they tested certainly aren't confined to the UK; thanks to an anonymous submitter, here's the list of services tested: Hide My Ass, IPVanish, Astrill, ExpressVPN, StrongVPN, PureVPN, TorGuard, AirVPN, PrivateInternetAccess, VyprVPN, Tunnelbear, proXPN, Mullvad, and Hotspot Shield Elite.

8 of 65 comments (clear)

  1. 14 tested, 11 leaked... by rotaryexpress · · Score: 4, Interesting

    The 14 tested are listed, but not the ones that are leaking data? Why list one and not the other?

  2. "IPv6 Leakage"??? Give me a break. by mark-t · · Score: 4, Insightful

    The study of fourteen popular VPN providers found that eleven of them leaked information about the user because of a vulnerability known as âIPv6 leakageâ(TM).

    No.... That has nothing to do with IPv6, it has to do with what those VPN's support. What that statistic really means is that 11 out of fourteen VPN providers don't really support IPv6 in the first place.

    --
    File under 'M' for 'Manic ranting'
    1. Re:"IPv6 Leakage"??? Give me a break. by Geordish · · Score: 5, Informative

      Exactly this.

      The problem occurs when you have an IPv4 VPN tunnel, and IPv6 native connectivity. The IPv6 connectivity will be preferred over the IPv4 tunnel, and you will connect natively.

      The fix? There are two

      1) Add IPv6 support to the VPN, and default route traffic over that.
      2) Drop the IPv6 connection while connected to the VPN.

      The first solution is obviously best.

  3. ipv6 incompetence is nothing new. by nimbius · · Score: 4, Interesting

    we mandated ipv6 a while back and like alcoholics we refused to give up ipv4 for a myriad of nagging and petulent reasons. its coming back to haunt us now, with everything from legacy routers that cant grok ipv6 right to switches that cant tag or trunk v6. Many commercial firewalls even struggle to answer the questions "can you support ipv6?" and "can you route it?" with a definitive answer.

    for the average user theres no clear or quick answer; youll just have to agree that some third party got it right. For slashdotters theres easy-rsa tools to start your CA and OpenVPN which has had support for ipv6 since 2.3. "leakage" is an ephemeral and undefined problem in TFA, but for those of us that live and breathe on planet RTFM an openvpn tunnel that supports v4 and v6 is trivial.

    im speaking of the states, but here our cable and fibre providers have 90% coverage of a dual-stack configuration of ipv6 and ipv4 direct to the device. Sure, the modem only grants 1 ip for 1 customer (at least until the net neutrality suits are settled) but once you step into a fresh IPv6 address the measure of this ipv6 debacle becomes apparent. Big players arent playing: Amazons various services dont support ipv6 and most of your TLD's outside of the googleverse dont get AAAA. the open source community at freenode does support it however, and most shared/vps hosting providers do as well, so if you need a project this summer at least consider looking at your docsis3 options/ipv6 lease and get to work on that vpn!

    --
    Good people go to bed earlier.
    1. Re:ipv6 incompetence is nothing new. by petermgreen · · Score: 4, Insightful

      I can see a few ways informatoin could leak in a dual stack situation involving a VPN that would not happen if everything was IPv4 only

      1: The users local connectivity is dual stack (or v6 only) but the VPN is IPv4 only. The result is IPv4 goes via the VPN but IPv6 doesn't. The user thinks the VPN is hiding the origin of their traffic but it isn't hiding the origin of all of it. With a bit of extra work it may also be possible for a website or an attacker in the network to tie the direct v6 address(es) to the VPN v4 address.
      2: IPv6 traffic does go via the VPN but addresses are generated in such a way that the users MAC address is revealed (for example the user has a network behind the VPN and that network uses MAC based IP autoconfiguration). This MAC address can later be tied
      3: The machine has an IPv6 address from the local ISP. Even if routing tables or firewall configurations are such that this address won't be used for making connections an application could still mistakenly send it as part of a payload. The same could in principle happen with IPv4 but it's much less likely due to pervasive use of NAT.

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
    2. Re:ipv6 incompetence is nothing new. by gstoddart · · Score: 4, Insightful

      Well, then the real thing here is that despite everybody claiming IPv6 is awesome and super, there's crappy and inconsistent support for it.

      So why should any small company or individual be doing anything about IPv6 when the big players aren't, and most of the existing products are apparently doing a terrible job of it?

      IPv6 has been coming "Real Soon Now" for what feels like an eternity. People aren't going to spend money to change when they still need to figure out how to work with the legacy stuff.

      You describe both the epic failure of IPv6 to gain widespread adoption, and the reasons why people are staying the hell away from it.

      --
      Lost at C:>. Found at C.
  4. TFA: by Kiyyik · · Score: 5, Informative

    http://www.eecs.qmul.ac.uk/~ha...

    (Since there doesn't seem to be a link).

    Basically, the table on page 3 is probably where you want to start looking. TorGuard, PrivateInternetAccess, VyperVPN & Mullvad are proof against IPv6 leakage, so it's actually 10 of 14 that aren't.

    Also, they found Astrill is proof against OpenVPN and PPTP/L2TP DNS hijacking. Interesting read.

  5. Re:Teredo leaks by greenwow · · Score: 4, Interesting

    But don't do that! Disabling IPv6 is an "unsupported configuration" to use the phrase our former Microsoft support rep used. I say former because they canceled our support contract without a refund after we admitted to disabling IPv6. There are many things broken in Windows if you disable IPv6, so many that Microsoft won't even try to support it and punishes people that do in order to publicize that fact.