VPN Data Leaks: What They Don’t Want You to Know
All commercial VPNs have been marketed as the best and most convenient pieces of technology for users looking to improve their privacy. VPN providers make bold affirmations, like, “we provide 100% Internet privacy protection, avoid tracking and monitoring, and even circumvent censorship and geo-restricted content.”
But what many people don’t know is that VPNs were initially created to extend private networks (LANs/WANs) to other geographies using the Internet — (NOT really as privacy tools).
So, the word “Private” in Virtual Private Network could be the one stirring up the confusion.
In this post, we’ll demystify the popular VPN, as they are also vulnerable to security breaches and data leaks. Especially now, as more and more organizations are using enterprise VPNs as well. We’ll go through the most common ways VPNs leak data. The most obvious is when VPNs keep logs and sell (send) it somewhere. But VPNs may also fall victim to cyberattacks. If they don’t have strong encryption and the proper configuration, they’ll likely be hacked. Additionally, you’ll also learn how to avoid data leakage in any VPN.
VPNs also get hacked.
In August 2020, a hacker compiled a list of plain-text usernames, passwords, IP addresses, and other sensitive information from more than 900 enterprise Pulse Secure VPN servers, according to a ZDNet article. Of course, as a “good samaritan” black-hat hacker, he went on and published the list on a ransomware forum on the dark web.
Anyone with their hands on the list could use the information to gain remote access to internal corporate networks and make money by kidnapping sensitive data.
In another case, one of the most popular VPN services, NordVPN, was also a victim of a security breach. One of their servers in a data center in Finland was hacked in March 2018. NordVPN acknowledged the breach in Oct 2019 — a year later. Although the breach didn’t compromise any user information and was considered minor, the customer’s Internet traffic was at the hands of a hacker and prone to a man-in-the-middle attack.
VPNs are vulnerable to cyberattacks, and should be used with caution.
The Misconfigured VPN Service
Pulse Secure VPN and NordVPN are not the only victims of attacks. Most VPN providers have had some form of minor-major attack that led to a data leak. For example, TorGuard and VikingVPN also suffered from a similar attack in Oct 2019 (one acknowledged and the other didn’t). Private Internet Access (PIA) VPN also had to face an IP address leak in its port forwarding feature in 2015.
When the VPN service, whether it’s a commercial VPN or enterprise VPN, gets hacked, the provider and its corporate customers will be affected. After all, what the hacker is really after, is either corporate’s or end user’s data.
How a Misconfigured VPN Leaks Data?
1.IPv6 and dual-stack networks are vulnerable to VPN data leaks. When users want to migrate into IPv6, but are still under an IPv4 network, they can use both versions of the IP protocol. According to a research paper from 2015 “A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients,” almost all VPN service providers at that time (and still today) are ignoring the IPv6 routing table. So all IPv6 traffic bypasses the VPN gateway interface — that means no VPN tunnel for IPv6 traffic. Additionally, VPN services that only consider IPv4 will also ignore the IPv6 DNS lookups and ultimately expose DNS information.
2. WebRTC data leaks. WebRTC (Web Real-Time Communication) is a protocol that provides most web browsers the capability to establish voice, video, and P2P communication without any add-ons. Unfortunately, WebRTC has inherited security flaws for web browsers, VPNs, and firewalls. When WebRTC wants to establish its communication to a remote client via STUN (Session Traversal Utilities for NAT) servers, WebRTC looks for the local client’s IP address using the Interactive Connectivity Establishment (ICE) protocol. The ICE protocol finds and reveals the IPv6 address of the local client to the STUN server (regardless of being connected to a VPN). This vulnerability only happens with IPv6 because it uses the same IP for private and public networks.
3. Old and vulnerable VPN technologies. VPN protocols such as PPTP with MS-CHAPv2 can be easily broken with brute-force attacks. Even though PPTP is considered one of the weakest VPN protocols, many VPN providers are still using it. And even with stronger protocols, such as SSL-VPN, some providers are likely to leave it with security vulnerabilities. According to a UK’s National Cyber Security Center published a document exposing Advanced Persistent Threat (APT) actors that pose a threat to SSL-VPN products from popular vendors, Pulse Secure, Fortinet, and Palo Alto. With these vulnerabilities, hackers can retrieve any file, including sensitive authentication credential files, through a Remote Code Execution (RCE).
Data Retention, Another Privacy Compromise
VPN data leaks do not only happen due to misconfigured protocols and encryptions. But there is also another bad practice followed by some VPN providers that compromise its customers’ privacy: Data Logging and Retention.
Although enterprise VPN service providers would typically avoid logging and retaining customer’s data, there are cases where they are required by law to save logs. For example, The 5-EYES (FVEY) nations is an intelligence/surveillance alliance between five countries: the US, the UK, Canada, Australia, and New Zealand. Some governments in countries like China, Russia, and Sweden also mandate VPN providers that have servers in these countries to retain logs from six months to 10 months.
These countries have some level of mandatory data retention and search warrants to allow intelligence agencies (FBI, feds, police, copyrights, etc.) to push VPN providers to hand over logs from their customers. That would include traffic, IPs, geo-tracking, browsing cookies, and additional sensitive information.
Of course, free VPNs are out of the question — as they inevitably log traffic data and sell it for marketing purposes. Without some form of cash return, free VPN service providers wouldn’t exist. In fact, according to an article from the Verge, most of the free VPNs, especially for Android, leak data, and some of them don’t even use encryption!
How to Avoid Data Leakage from VPNs?
So now that you know the ins and outs of how VPN leaks data, let’s see what you can do to avoid data leakage. The first thing to remember is obviously (as pointed out before) to use VPNs to extend networks, not as privacy tools.
Also, follow the best next practices and tips to avoid breaches of your data:
1.Avoid weak VPNs. Avoid VPNs that do not advertise their encryption mechanism and avoid the ones that use outdated PPTP protocol. You can also check whether your VPN traffic is encrypted with a packet sniffer such as Wireshark.
Professional VPNs are now using a military-grade encryption AES-256 and they will even provide double encryption, which is unbreakable. Another great feature to look for is Kill Switch, which immediately turns off the Internet when the VPN gets disconnected.
If you suspect a data leak, test the VPN with a packet sniffer, such as Wireshark (not a VPN’s official tester). While connected to the VPN, you shouldn’t be able to find unencrypted DNS and IPv6 information. To test WebRTC leaks, you can use the Browserleaks service.
2. Find out about a VPN’s reputation. VPNs are hackable, and most providers (including VPNs that cater to enterprise clients) have been breached some way or the other. Look around the web for news of any historical data leak regarding the VPN provider. If they took action immediately, created a fix, and announced publicly, that’s a positive thing. They want to build trust. And trust is the only thing that can save a VPN’s reputation.
Otherwise, if they concealed the breach, they are likely to do it again. You can run a test at Have I Been Pwned? to check if your personal data has been compromised in a data breach, by a VPN or any other cloud-based service.
3. Look for VPNs based in friendly data-jurisdiction countries. Considering the location of where the VPN provider is registered (as a business) may give you an idea about the data jurisdiction. Avoid VPN providers that are based on the 5-EYES, 9-EYES, or 14-EYES. Any country on the 14-EYES might force the VPN to hand over data logs, ultimately compromising your privacy — if that’s a concern for your organization.
Read through a VPN’s no-logs policy carefully to ensure that third-party authorities will not breach your data.
Data leaks are common across all kinds of VPNs— from free, business, to enterprise VPNs have been subject to some security breach. Of course, free VPNs will intentionally log your data and leak it to third-parties. And depending on the data’s jurisdiction where a business/enterprise VPN is headquartered, they might also be keeping your logs.
VPN service providers also leak data unintentionally. They are still relying on outdated technology vulnerable to data leakage, especially in dual-stack networks (IPv4 and IPv6). The VPN will encrypt IPv4, but fully expose IPv6 information, leading to DNS and WebRTC leaks.
To steer clear from VPN’s data leakage, look for VPNs with strong encryption and rich features. It is also critical to look into their history and reputation; have they had a breach before? Were they honest about it? And published the vulnerability+fix right away?
Looking for VPN alternatives? Check our VPN vs. Remote Access Solution.
We hope that this article was informative. Please leave any comments and suggestions below!