杏吧原创

VPNs could be vulnerable to attacks that send you to fake websites

Virtual private networks (VPNs), which have seen a rise in use as more people work from home, are vulnerable to an attack that removes the anonymity they grant users, researchers have found
VPN
Virtual private networks are designed to keep people safe online
Andrey Suslov/Shutterstock

Virtual private networks (VPNs), which have seen a rise in use as more people work from home, are vulnerable to an attack that removes the anonymity they grant users, researchers have found.

VPNs work by rerouting your internet traffic through a virtual tunnel that encrypts all data that passes through it and disguises your IP (or internet protocol) address, which is used to identify from where you access the internet. They are often used to access internal networks remotely, such as connecting to workplace servers from home. The technology has long been considered secure against external attacks, but now at Arizona State University and his colleagues say they have found a fundamental flaw with VPN infrastructure.

The vulnerability works by monitoring one thing that VPNs cannot hide: the existence and size of the packets of data flowing through them. 鈥淭his is more fundamental than a cute trick,鈥 says Tolley, who claims his attack works against all VPNs. 鈥淚t鈥檚 a fundamental networking vulnerability.鈥

Each user of a VPN is secretly assigned one of around 65,000 possible ports, the entry and exit points to the tunnel through which their data is processed. The first phase of the attack involves sending data packets of different sizes to lots of different ports in an attempt to trick the VPN. If a packet is sent to a user鈥檚 correct port, the VPN will forward it on. Otherwise, the packet will be discarded.

By monitoring traffic through the VPN tunnel and the size of the data packets that make it through, it is possible to identify a user鈥檚 port. Hackers can then send packets where they have modified the source address to appear as though the packet is coming from one of the legitimate ends of the connection, which can send users to a fraudulent website or inject malicious data into any websites they visit.

The researchers at the Usenix Security Symposium last week. They say they have reported the attack method to a number of VPN providers, but it is likely that not all VPNs in use today will be patched to prevent the vulnerability. 鈥淥ur advice is to avoid VPNs if you鈥檙e trying to keep your information private from government entities, or something like that,鈥 says Tolley, but he says they could be OK in other situations. 鈥淚t depends on the use case.鈥

The use of VPNs has become more popular as people work from home and require secure access to work files stored on business servers. They are also used by some people to subvert geographical region locks on services such as Netflix, and by those living in countries ruled by repressive regimes to try to avoid surveillance.

鈥淚 really like what the authors have done,鈥 says at Queen Mary University of London. 鈥淭hey鈥檝e found a bunch of flaws and put them together to discover a comprehensive attack.鈥 Yet Tyson points out that the skill level required to carry out a successful attack is more than the average hacker is likely to have. 鈥淭hese attacks can鈥檛 be performed by some kid in the basement. It鈥檚 something that does require some dedicated effort, and in some cases a pretty powerful adversary.鈥

Tyson points out that attackers would require a physical presence in the correct parts of an IT network in order to carry out the level of intrusive packet monitoring required. 鈥淚n an authoritarian regime where the state controls all the infrastructure, that would be much easier,鈥 he says. In the UK, for example, where networks are privatised and government control is at arm鈥檚 length, that would be trickier.

Topics: security