VPN Hole Shows User’s IP Address
Tuesday, December 1, 2015 @ 02:12 PM gHale
A vulnerability on how VPN providers deal with port forwarding can end up revealing the real users’ IP address, researchers said.
As it is with most security events, the conditions have to be just right for this to happen, but none of the issues would be so far out that an attacker could not take advantage, said researchers at Perfect Privacy, a VPN provider.
First, the VPN provider must allow users to enable port forwarding on their VPN account, which most do. Only the attacker must enable the port forwarding feature, not the victim, the researchers said in a blog post.
The attacker must know the exit IP address of the victim, which can easily end up acquired via public IRCs, torrent connections, or by tricking the user into accessing a website under the attacker’s control.
The last condition is the attacker must set up a VPN account on the same provider as the victim, which is easily doable if the attacker knows the exit IP address.
The attack is possible due to an issue with the VPN’s internal routing table. If the attacker can make the victim access a resource (image embedded on a site) hosted on the same VPN server, due to the internal routing table and the port forwarding setting, the attacker can learn the victim’s real IP address, researchers said.
Researchers at Perfect Privacy tested this attack scenario with nine of today’s biggest VPN providers, and five of them were vulnerable. The vulnerable providers are now aware of the issues and they are working on fixes.
Because the issue works on the lower network level of the OSI model, VPN protocols like OpenVPN, PPTP, or IPSec end up affected.
Perfect Privacy recommended VPN providers use multiple IP addresses and allow incoming connections to IP1 to exit connections through IP2-IPx, while having port forwarding on IP2-IPx, not IP1. Basically, they should use a Man-in-the-Middle IP for port forwarding operations.
Additionally, VPN providers should also use a server-side firewall to block access from a client’s real IP to any port-forwarded connection that is not their own.