Senior ICFP fellow William Tolley diagnoses and discloses critical vulnerability in VPNs
Tue, 2020-05-26 13:33

Many people in the United States and other parts of the global West associate the use of Virtual Private Networks (VPNs) as a simple way to spoof their location in order to enable access to streaming services or other online features that aren’t otherwise available where they are. For citizens living under repressive regimes, however, VPNs symbolize far more. Their unique security features provide gateways to the international community and avenues for free speech. But VPNs aren’t bulletproof—and the consequences for compromised individuals who use them can be particularly egregious because their online actions are made with the assumption of anonymity. That’s why in 2019 Senior Information Controls Fellowship Program (ICFP) fellow William Tolley worked with Berkley’s International Computer Science Institute to investigate ways in which VPNs can be exploited by malicious actors. The vulnerability that William ultimately discovered challenged the foundational digital security assumption that users operating on public networks should use a VPN to enhance their privacy.

Modern VPNs create encrypted tunnels from users to VPN servers. In turn, VPN servers act as middlemen—retrieving content requested by users without revealing user identities. Because outside parties can’t see what’s happening inside the tunnels, users are granted enhanced security and anonymity. But despite being used in today’s online world as a go-to tool for secure browsing, VPNs were originally designed only to grant remote users access to the resources of private networks that otherwise had to be accessed on-site. Traditional VPN configurations were not designed to provide the type of security now readily advertised by commercial VPN companies. What that means for VPN users is significant because the risks of this retrofitting have not yet been fully explored. And, as William’s research revealed, in certain situations these risks can be exploited by informed third-party attackers in less than thirty seconds.

With guidance from Professors Narseo Vallina-Rodriguez and Jed Crandall, William discovered a new class of vulnerability for VPNs—revealing that attackers on the same network as a victim can determine if the victim is using a VPN to connect to a specific website. By virtue of sharing the same network, attackers can exploit the vulnerability to quickly scan a list of banned or targeted websites and determine if someone on the network is accessing them via a VPN. This discovery plainly debunks the assumption of full browsing anonymity for VPN users. But the vulnerability doesn’t stop there. Even if a victim is connected using SSL/TLS, attackers can exploit the vulnerability to deny service. And if a victim is only connected with HTTP, an attacker can go so far as to completely hijack the connection.

Although at first it may seem like good news that this vulnerability only exists when victims and attackers are on the same network, what this means in application is that the most vulnerable populations are those who are most susceptible to being exploited by this newly discovered VPN vulnerability. Many individuals who use VPNs to avoid persecution do so understanding that certain risks still exist. For them, the thought of using a VPN at home creates an added layer of fear—what happens if someone discovers they were using a VPN? Questions will be asked, often with no safe answer. To mitigate this concern, many similarly situated individuals choose to use a VPN only on a public network like one at a coffee shop, park, or restaurant (thus making their use of a VPN harder to trace). Until now, common digital security knowledge dictated that such a decision—using a VPN on a public network—was a best practice. William’s research reveals otherwise.

What this means going forward is that users who want to access banned or censored websites should learn more before relying on VPNs to do so in public spaces. The vulnerability exposed by William’s attack shows a fundamental flaw in the security claims made by VPN proponents who argue that using a VPN on a public network prevents malicious actors from knowing which websites you are visiting, blocking your access to specific sites, or spoofing websites to steal your information and spy on you. These problems root back to the fact that VPNs have been retrofitted to provide browsing security and anonymity without a full analysis being completed of what risks this altered purpose may pose to users.

Upon detecting the vulnerability, William and his colleagues reported its existence to the Linux Security, Android, Apple, and private oss-security distros mailing lists. A public disclosure was also made after the expiration of the maximum embargo period for each of the private notifications. In response, some VPN vendors and operating systems—but not all—implemented various levels of fixes to address the vulnerability. Check here to see if the VPN vendor/operating system you use is one of them. If the tools you use haven’t yet implemented a patch, be aware you may be better served by using an alternate technology (such as Tor Browser) when you previously would have used a VPN to enhance your browsing security. And if you are intent on using a VPN, consider using one like WireGuard which has actively worked to mitigate security risks in its protocol.

Since the disclosures, the team—which also includes Beau Kujath—submitted a paper that is currently under review about the vulnerability and its implications. They have also started to develop additional attacks based on revelations from the vulnerability. The team’s plan is to ultimately release a white paper and the source code—but they are first waiting for additional mitigation efforts to be implemented for vulnerable users on Android and Apple devices.

Given the nature of the disclosure, many different outlets across the internet provided commentary and characterizations of the vulnerability and attack logistics. Unfortunately, this coverage also created various streams of misinformation regarding the attack and the risk profiles associated with it. William therefore drafted a detailed explanation of the vulnerability to clarify the confusion and offer practical advice to help those affected protect themselves from this new threat.

You can read William’s in-depth explanation of the vulnerability and his team’s efforts to disclose it here.

About the program: OTF’s Information Controls Fellowship Program (ICFP) supports examination into how governments in countries, regions, or areas of OTF’s core focus are restricting the free flow of information, impeding access to the open internet, and implementing censorship mechanisms, thereby threatening the ability of global citizens to exercise basic human rights and democracy. The program supports fellows to work within host organizations that are established centers of expertise by offering competitively paid fellowships for three, six, nine, or twelve months in duration.