Vast majority of VPN services are porous with personal data

30 Jun 2015

A new study that analysed the security of 14 of the most popular virtual private network (VPN) services used by European internet users has found that the vast majority of them are incredibly porous when it comes to leaking information.

According to the study, of the 14, 11 of them were prone to IPv6 leakage, which allows access to the list of websites they have visited such as forums, but there is some relief in that https-encrypted websites were not able to be accessed.

According to the researchers from Queen Mary, University of London, the VPN leakage occurs because of the rapid changeover of IPv4 websites to IPv6 as part of the urgent need to allow the internet expand past a limited number of IP addresses.

However, many of the VPNs that are run today are set up only to protect users for IPv4 traffic, putting the security of users visiting sites using IPv6 at risk.

The research team was able to come to these conclusions by choosing the 14 VPN services and connecting various devices to a Wi-Fi access point designed to replicate a system a hacker might use.

The two methods of testing undertaken by the team included casting their virtual net and gathering any leaked data it came across through passive monitoring, as well as hijacking a user’s domain name system (DNS) and sending them to fake versions of Google and Facebook.

With regard to VPNs used on mobile devices, the team found that services on iOS were much more secure than those tested on Android devices.

Speaking of the findings, Dr Gareth Tyson, a lecturer from QMUL and co-author of the study, said: “We’re most concerned for those people trying to protect their browsing from oppressive regimes. They could be emboldened by their supposed anonymity while actually revealing all their data and online activity and exposing themselves to possible repercussions.”

Earlier this month, VPN provider Hola, which boasted of having 50m downloads on Google Chrome browsers, was accused of passing on user details and selling users’ bandwidth without their knowledge.

Leaking pipe image via Shutterstock

Colm Gorey was a senior journalist with Silicon Republic

editorial@siliconrepublic.com