Fresh research has cast further doubt on the ability of virtual private networks (VPNs) to protect users’ privacy from intelligence agencies and criminal hackers.
VPNs are secure lines of communication that set up a private network between devices across public networks. They protect users’ privacy by setting up an encrypted tunnel between the device being used and the VPN provider’s servers when accessing online services, in theory making it more difficult for hackers to siphon or steal data mid-transit. You can download a VPN as a browser extension if you want to make it harder for others to see what you’re looking at on the web.
The research was published by Queen Mary University in London, in a paper titled “A Glance Through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN Clients.”
The scientists examined the Hide My Arse, IPVanish, Astrill, ExpressVPN, StrongVPN, PureVPN, TorGuard, AirVPN, PrivateInternetAccess, VyprVPN, Tunnelbear, proXPN, Mullvad, and Hotspot Shield Elite services’ security.
Disturbingly, the researchers found that a staggering 11 out of the 14 VPNs are vulnerable to an “IPv6 leakage issue.”
IPv6 provides and manages the IP addresses devices used to connect to the internet. It’s the next generation replacement to IPv4, but more robust. IPv6 was developed to allow more users and devices to communicate on the Internet using a number of under-the-hood changes, including the move to use longer IP addresses.
The leakage issue reportedly stems from the way the VPN’s handle Internet Protocol Version 6 (IPv6) traffic. Specifically, the researchers claim the affected VPNs are only able to reliably deal with IPv4 traffic and can leave their users potentially unprotected when visiting sites running the newer IPv6 protocol.
The news is troubling as VPNs are commonly viewed as one of the best ways web users can protect their digital privacy and the use of IPv6 is becoming more widespread.
Controversial whistle blower Edward Snowden listed VPNs as a key way people can protect themselves from government surveillance, such as the NSA’s PRISM campaign, during a privacy discussion at the SXSW conference in Texas in March 2014.
Cracking VPN defences has been an ongoing goal of numerous intelligence agencies, including the NSA and GCHQ, according to Snowden documents leaked to Der Spiegel.
Security firm Alienvault reported uncovering similar evidence the Chinese government is working to track VPN users in a JSONP hijacking report in June.
Queen Mary University scientists cited the research and attacks as proof web users need to stop looking for a “silver bullet” technology solution to their privacy concerns and adopt more robust defence strategies.
“A common misconception is that the word ‘private’ in the VPN initialism is related to the end-user’s privacy, rather than to the interconnection of private networks,” read the report.
“In reality, privacy and anonymity are features that are hard to obtain, requiring a careful mix of technologies and best practices that directly address a well-defined adversarial/threatmodel. In other words, there is no silver bullet within this domain.”