My Apply
My Apply

Attacking VPNs to Challenge Basic Security Assumptions


This project will increase the security and privacy of VPNs and VPN-like technologies.

The majority of censorship circumvention, privacy, and anonymity tools work in ways that are essentially VPN-like under the hood and are based on tunneling connections through an encrypted tunnel by re-routing locally generated packets on the VPN client device. This technology helps take the burden off the user to, e.g., configure their apps to use a local socket-based proxy. While there has been a great deal of research into securing the encryption tunnel for VPNs, we instead consider the endpoints of the tunnel and the low-level packet routing behaviors within the operating system kernels of the VPN client and VPN server. Our goal is to promote a more solid foundation for the security of VPNs from a packet-level perspective through vulnerability research. Our work builds on William Tolley's OTF-sponsored Internet Controls Fellowship Program project, which led to two CVEs (CVE-2019-9461 and CVE-2019-14899).  

Breakpointing Bad is a non-profit founded in 2019 based out of Albuquerque, New Mexico. Our team has over 66 years of combined experience in network security, penetration testing, reverse engineering, malware analysis, developing CTFs for training, IT, and cryptography. The vast majority of these activities have focused on technical security issues motivated by privacy, free speech, and human rights. Our goal is to provide technical expertise and capabilities to at-risk populations subjected to repressive and authoritarian control.

Current project status

Just an idea (Pre-alpha)
It exists! (Alpha/Beta)
It's basically done (Release)
People use it (Production)

Funding to date

2021 $148,603 12 months

Total Funding: $148,603

Your cookie settings

This website deploys cookies for basic functionality and to keep it secure. These cookies are strictly necessary. Optional analysis cookies which provide us with statistical information about the use of the website may also be deployed, but only with your consent. Please review our Privacy & Data Policy for more information.