People who use a virtual private network (VPN) might think they are safe from the prying eyes of oppressive governments and hackers, but security researchers say even VPNs are not so safe anymore.
The problem arises as the Internet shifts into the IPv6 protocol, a new protocol that takes place now that the Internet has run out of IPv4 addresses. A team of researchers from the Queen Mary University in London and the Sapienza University in Rome found out that many of the most popular VPN service providers are actually not set up to protect IPv6 traffic.
"Whereas our work initially started as a general exploration, we soon discovered that a serious vulnerability, IPv6 traffic leakage, is pervasive across nearly all VPN services," the researchers say [pdf] in their report. "In many cases, we measured the entirety of a client's IPv6 traffic being leaked over the native interface."
VPNs are supposed to protect a user's privacy and security by rerouting traffic through a secure communications protocol that prevents anyone from knowing where the traffic comes from. It is useful for people who do not want to be censored by iron-fisted governments but also for people who want to bypass the geographic restrictions placed by some Internet services, such as Netflix and BBC iPlayer.
However, the researchers found out that out of the 14 VPN service providers they studied, only three had partial protections in place to prevent their clients from fully exposing themselves and their online activities to the people they do not want to be exposed to. Only TorGuard, PrivateInternetAccess and VyprVPN users are protected from IPv6 leakage. The rest of the providers included in the study, including Hide My Ass, IPVanish, Astrill and ExpressVPN, were all found to be vulnerable.
This does not mean that TorGuard, PrivateInternetAccess and VyprVPN are fully safe, since the researchers also discovered that all of the VPN providers except Astrill have security holes in them that makes them prone to DNS hijacking, allowing hackers with a target to gain access to all of a user's traffic without him knowing. The researchers did mention, however, that users of Windows 8 and Android KitKat and above are safe from DNS hijacking, as both platforms have systems in place that continue to force traffic through the VPN even when under attack.
They also criticized VPN service providers who are not properly disseminating the right information about their products to clients, saying that a more informed market will likely compel the providers to beef up their protections against IPv6 leakage and DNS hijacking.
"We realized that another worrying aspect of today's market of VPN services is the large misinformation end users are exposed to, which makes it hard for them to properly tell apart vague and bold claims typical of product advertisement campaigns with actual facts," the researchers say.