Your VPN might not be protecting your privacy as much as you think.
Research carried out by British and Italian scholars has reportedly shown that 11 of the 14 most popular commercial VPN services are giving away IP data on users – data which could be used to target the person “behind” the VPN.
The research, which was undertaken by a team of people from the University of Rome and London’s Queen Mary College, found that, despite making bold claims pertaining to safety and privacy, the majority of commercial VPN’s tested actually only secured IPv4 data and actually ‘leaked’ IPv6 data.
Big names like HideMyAss, IPVanish and TunnelBear were among those looked at who were found wanting, while names like Mullvad and TorGuard avoided the leak by “turning off” IPv6 on users’ machines; an inelegant solution but one which could easily be employed by all the VPN’s who were found to be making subscribers vulnerable.
The team’s research paper notes that: “In many cases, we measured the entirety of a client’s IPv6 traffic being leaked over the native interface. A further security screening revealed two DNS hijacking attacks that allow us to gain access to all of a victim’s traffic.”
Related: What is IPv6 and why do I need it?
Not everyone uses IPv6, but those who do could find themselves targeted by parties who have been able to peer through the VPN to see their actually IP data. While it’s unlikely that a person could be fully ‘identified’ by their IP address, the data does allow their inexact location to be seen, and also gives away key data which could allow a nefarious party to launch an attack on their home network or, if they were using the VPN to stay under the radar of an oppressive government, they could be identified – which could literally be the difference between life and death.
Internet Protocol (IP) numbers can be thought of as similar to phone numbers, which allow machines on a network to communicate with one another. IPv4 is the standard which has been used for some 35 years but owing to increased need the variations of numbers available began to run out, so IPv6 was introduced, which uses more digits, thereby increasing the number of available variations exponentially.
The issue with IPv6 is that technologies which have been happily chugging away, utilising IPv4 haven’t fully come around to support the newer protocol, through apathy, ignorance or logistics, which – as we’ve seen in this latest research – is leaving users vulnerable to attack or discovery.
If you rely on your VPN to really protect you, you’d do well to undertake a little research, because you may not be getting what you pay for and you may end up getting something which you certainly do not want.
The full research paper can be found here.