A new study to come out of the Sapienza University of Rome and Queen Mary University of London has found that a large number of commercial virtual private network (VPN) providers utilize systems that are wide open to attacks. The potential is there, the researchers say, for those using VPN services to have their browsing history and other Internet-related traffic viewed by external actors, without too much difficulty.
Of all the 16 services considered as part of the study, only one was protected from DNS hijacking. However even that one fell down when it came to IPv6-leaks, along with 13 of the other VPN companies.
To make matters worse, over half of the services looked into used the Point-to-Point Tunnelling Protocol with MS-CHAPv2 authentications, which, as TechReport points out, makes them vulnerable to brute force hacks.
These revelations are problematic for the VPN industry — and specifically the companies named and shamed — as their whole job is to obfuscate a user’s Internet traffic. If that is as obvious when using a VPN as without, then it’s technically worse to use one of these services, since those hoping to infiltrate their servers know that the person behind the traffic doesn’t want to be found.
This is also sad news for those that were hoping to hide their traffic from an overintrusive government. While some VPN providers would be unlikely to work directly with the authorities of any nation, the NSA and GHCQ have shown a penchant for hacking and the use of malware to garner information, so it wouldn’t be surprising to learn that some of these VPNs have been infiltrated by government organizations.
Do any of you use these VPN services? If so, do you plan to continue doing so after these revelations?