Privacy Vulnerability Exposes VPN Users' Real IP Addresses (thestack.com)

← Back to Stories (view on slashdot.org)

Privacy Vulnerability Exposes VPN Users' Real IP Addresses (thestack.com)

Posted by timothy on Friday November 27, 2015 @12:42PM from the but-15-percent-off! dept.

An anonymous reader writes: A major security flaw which reveals VPN users' real IP addresses has been discovered by Perfect Privacy (PP). The researchers suggest that the problem affects all VPN protocols, including IPSec, PPTP and OpenVPN. The technique involves a port-forwarding tactic whereby a hacker using the same VPN as its victim can forward traffic through a certain port, which exposes the unsuspecting user's IP address. This issue persists even if the victim has disabled port forwarding. PP discovered that five out of nine prominent VPN providers that offer port forwarding were vulnerable to the attack.

12 of 94 comments (clear)

Min score:

Reason:

Sort:

Clever but not earthshaking. by houstonbofh · 2015-11-27 12:59 · Score: 4, Interesting

Essentially, you are having the user connect to the internal address of the VPN server for your forwarded port, and therefore you do not go through the VPN or NAT. A good VPN service will have bound your port to the external address only, and this would not work. And the bad ones will fix this quickly, I bet.
Bigger problems by ilsaloving · 2015-11-27 13:02 · Score: 5, Insightful

The only requirement is that the attacker has port forwarding enabled on the same VPN network as its target. A phishing link or laced image file, for example, is then sent to the victim which leads the traffic to a port under the hacker’s control.
So... using a social engineering attack can expose the victim's IP address. Am I missing something? Cause to me this falls under the category of "Well no shit, Sherlock!" If you can convince a user to run a malicious payload, then having an IP address exposed is the least the victim's problems.
1. Re:Bigger problems by whoever57 · 2015-11-27 17:09 · Score: 2
  
  The term VPN has been co-opted by providers that provide VPN and routing services. People pay for this service so that they can mask their true location -- for example, to use video services not available in their country.
  Individual users are not using the VPN to connect to each other, but instead to connect to the VPN endpoint, from where their encapsulated packets are routed to the destination website (and obviously, the replies are routed back the same way)
  
  --
  The real "Libtards" are the Libertarians!
2. Re:Bigger problems by Antique+Geekmeister · 2015-11-27 19:04 · Score: 2
  
  >> "Masking one's origin is often the entire purpose of a VPN, at least from a consumer standpoint."
  > Uhhh... nope, why should that be the case?
  To avoid a subpoena for the records of the connecting IP address, or to fool geo-IP based content restrictions from blocking people outside the UK from watching BBC programs, or to evade the "Great Firewall" of China, or to avoid tracking a command control center for a botnet, or to avoid detection of the "amazing offer" as coming from Nigeria, or simply to send spam from IP addresses which are not in public blacklists.
3. Re:Bigger problems by turbidostato · 2015-11-27 23:24 · Score: 2
  
  "The term VPN has been co-opted by providers that provide VPN and routing services. People pay for this service so that they can mask their true location -- for example, to use video services not available in their country."
  Oh, I see now! People got fooled into buying a VPN service when they wanted and anonymizer service.
  "Individual users are not using the VPN to connect to each other, but instead to connect to the VPN endpoint, from where their encapsulated packets are routed to the destination website"
  And then, the protocol works as designed instead of how an ignoramus thought it worked. Surprise, surprise!
Re: Damn people are getting dumb by RubberDogBone · 2015-11-27 14:47 · Score: 4, Insightful

This is a mistake, then. If you want to torrent and avoid copyright holders, you need to use a SEED BOX somewhere overseas where they don't keep records. And then VPN from your home or whatever into that seed box. The box runs your torrents for you. The only traffic your IP sees is the encrypted transfers of completed files between you and the seed box. NOT VPN'd torrents.
This is of course not foolproof but it adds a nice layer between your own IP and the infringing activity. It also helps if you are on a bandwidth capped account as your connection doesn't have to support all the torrent traffic. And for cost, a seed box with VPN is not a lot more than a VPN alone. So it's not a big deal.

Well, a lot of people use vpns to hide their torrenting, and IP addresses are how copyright trolls find you and send you letters, so it kinda is an issue if you're paying for a VPN to hide your torrenting, and thus not get caught

--
Sig for hire.
Is that a secret? by Marc_Hawke · 2015-11-27 14:48 · Score: 5, Insightful

I don't know that VPN's are supposed to hide the end IP addresses. They made a tunnel through the Internet so you can 'pretend' to be on the same Local network as the remote host. (That's the Virtual part.) They also encrypt that traffic so the Internet doesn't get to listen to what you say. (That's the Private part.)
No where in VPN do I see that it's an 'anonymizing proxy' or something else that's supposed to obfuscate either of the end-points. Sure a lot of people started using VPN's for that purpose, but claiming there's a vulnerability or flaw in IPSec or OpenVPN because it's not 'anonymizing' seems like you've missed the mark a bit.

--
--Welcome to the Realm of the Hawke--
Security services vs VPN? by AHuxley · 2015-11-27 14:53 · Score: 2

Ideas like this show why VPN use was not a huge issue "Revealed: how US and UK spy agencies defeat internet privacy and security" (6 September 2013)
http://www.theguardian.com/wor...
".. decode the encrypted traffic certified by three major (unnamed) internet companies and 30 types of Virtual Private Network (VPN) – used by businesses to
provide secure remote access .."
or under the new UK net laws "Snooper's Charter: Why aren't VPNs and Tor mentioned in the Investigatory Powers Bill?" (November 5, 2015)
http://www.ibtimes.co.uk/snoop...
".. but surprisingly, nowhere in the proposal does it mention the use of Virtual Private Networks (VPN)."

What can be done? Some creative way for an internal double VPN?
This could also show that VPN use is vulnerable at a city, state, private sector or federal level/budget rather than just a shorter list of advanced nations with a domestic collect it all capability.

--
Domestic spying is now "Benign Information Gathering"
Re:Untold requirement? by undecim11 · 2015-11-27 15:55 · Score: 2

No. The attacker forwards a port on the VPN gateway. This means that the attacker recieves any traffic on that port already, including the victim's IP. All the attacker needs is the same level of VPN access that the victim is paying for.
Re: Damn people are getting dumb by dotancohen · 2015-11-27 20:54 · Score: 3, Insightful

This is a mistake, then. If you want to torrent and avoid copyright holders, you need to use a SEED BOX somewhere overseas where they don't keep records.
Or how about a more novel idea: Instead of paying to avoid copyright, either actually pay for the movies you watch or don't watch them. Seriously, I use a VPN and I use bittorrent for legitimate purposes, and you are ruining my ability to use my tools responsibly.

Just like the idiots that shine laser pointers at landing airplanes so now I cannot use a laser pointer to responsibly teach my daughters astronomy, you are abusing and ruining a tool for nothing of value. If you are so addicted to movies that you cannot even afford to pay for your habit, then you need counseling.

--
It is dangerous to be right when the government is wrong.
Re: Damn people are getting dumb by Linux+Freak · 2015-11-27 23:13 · Score: 4, Insightful

What about the many, many movies that never actually get released where I live (likely 20% or more never get released here, as a way of "protecting" the domestic movie producing market here)? Oh, I get it, you want me to wait until they are released on DVD and have me import them, right? Too bad about region encoding, apparently I am a "thief" for wanting to buy & watch DVD's in a different region.
I am happy to pay for content, but don't make it impossible to do so and I'll stop circumventing. Hell, the money I pay for a VPN could go to the content provider instead.
Re: Damn people are getting dumb by thegarbz · 2015-11-27 23:37 · Score: 3, Funny

Or how about a more novel idea: Instead of paying to avoid copyright, either actually pay for the movies you watch or don't watch them.

I tried that. No one would take my money. And 6 months later when they did want to take my money they wanted to take twice as much as normal because... well I assume they had the added cost of dubbing the original so people said "aluminium" instead of "aluminum" and had to put the missing 'u' back into various words in the subtitles. Maybe they even edited the footage so the toilets flushed in the opposite way, that would justify the cost.