VPNs used to stay anonymous online still vulnerable to hackers with fake data packets

    [ad_1]

    Pandemic lockdowns led to an explosion in virtual private networks (VPNs), but a new report warns these ‘private tunnels’ are vulnerable to a particularly insidious attack that analyzes the size of the data packets zipping through them.   

    Disguising IP addresses, VPNs link user and their provider’s data center, assigning each one of tens of thousands of ‘ports,’ or digital on and off-ramps, for the data to travel through. 

    Data packets sent over a VPN tunnel are encrypted and then encapsulated inside an outer packet before they’re routed.

    In the proposed attack, outer data packets of various sizes are sent to numerous ports. Most won’t be the right size and will be rejected—but if one hits the right port, it’ll get forwarded on.

    A hacker monitoring traffic could see the size of the packet that made it through and, from there, modify their source address so the system thinks something is coming from the other end of the VPN tunnel.

    At that point, the cybercriminals can infect users with malicious data or send them to a bogus website

    Scroll down for video

    A new report suggests hackers can exploit VPNs by blitzing them with data packets of various sizes. If one gets forwarded on, they can then modify their source address so the system thinks something is coming from the other end of the VPN tunnel

    A new report suggests hackers can exploit VPNs by blitzing them with data packets of various sizes. If one gets forwarded on, they can then modify their source address so the system thinks something is coming from the other end of the VPN tunnel

    Regular office workers aren’t the likely targets of such an attack, which would require a physical presence in the right part of an IT network to pull off.

    ‘These attacks can’t be performed by some kid in the basement,’ Gareth Tyson, a cybersafety expert at Queen Mary University of London, told New Scientist. ‘It’s something that does require some dedicated effort, and in some cases a pretty powerful adversary.’

    It would more likely be employed ‘in an authoritarian regime where the state controls all the infrastructure,’ Tyson added.

    The vulnerability was uncovered by a team led by computer scientist William Tolley, a graduate student at Arizona State University and co-founder of Breakpointing Bad, a nonprofit that focuses on ‘technical security issues motivated by privacy, free speech, and human rights,’ according to its website.

    The attack would require'dedicated effort' and a physical presence in the right part of an IT network to work. Experts say the most likely culprit would be a totalitarian regime with complete control over the infrastructure

    The attack would require ‘dedicated effort’ and a physical presence in the right part of an IT network to work. Experts say the most likely culprit would be a totalitarian regime with complete control over the infrastructure

    Such a Trojan horse attack would work on any VPN, Tolley said.
     

    ‘This is more fundamental than a cute trick,’ he told New Scientist. ‘It’s a fundamental networking vulnerability.’

    Breakingpoint Bad’s stated goal is ‘to provide technical expertise and capabilities to at-risk populations subjected to repressive and authoritarian control.’

    WHAT IS A VIRTUAL PRIVATE NETWORK? 

    A Virtual Private Network (VPN) extends across a public network, and enables users to send and receive data while maintaining the secrecy of a private network.

    VPN’s are often used to allow employees to access the server of their office/workplace to allow for mobile working. 

    They increase privacy and the internet security of users connected to public networks.  

    They are also used to link offices/branches of the same company that are in different locations. 

    Theoretically, all the information that passes through a VPN secure and can not be intercepted by anyone else. 

    Although they do not offer total anonymity online, they are often used to optimise privacy. 

    VPN’s can also be used by individuals to allow them to get around geographical restrictions and censorship – for example, accessing the Netflix of the US from the UK or vice versa. 

    Their use in ‘geo-spoofing’ locations is also used in to aid freedom of speech as many users wish to escape the limitations placed on their browsing by employers, organisations or third-parties.  

    A VPN can also help protect you against malware or cons on the web. 

     

    ‘Protecting network protocols within an encrypted tunnel, using technologies such as Virtual Private Networks (VPNs), is increasingly important to millions of users needing solutions to evade censorship or protect their traffic against in/on-path observers/attackers,’ reads a blog post on the site.

    Tolley’s report, presented at the virtual Usenix Security Symposium last week, adds to the evidence that VPNs are not the bulletproof shield against hacking some companies believe them to be.

    Two weeks ago, Cisco Systems rolled out a series of patches to address critical vulnerabilities in a subset of its small-business VPN routers that would allow hackers to take over a device remotely, Threat Post reported.

    Security experts warned that nearly 9,000 systems could have been compromised.

    According to the security-exposure firm Tenable, an unauthenticated user could send a specially designed HTTP request to a device, ‘resulting in arbitrary code-execution as well as the ability to reload the device, resulting in a denial of service (DoS).’

    No actual breaches were reported, though.

    More broadly a VPN won’t protect users against malware, phishing or other cyberattacks that don’t require access to your IP address.

    Unsuspecting users can still be exposed if they visit unauthorized sites or try to download third-party content.

    In July, a joint advisory from the United States’ FBI and Cybersecurity and Infrastructure Security Agency, the UK’s National Cyber Security Center and Australia’s Cyber Security Center indicated four of the 30 most exploited online vulnerabilities between 2018 and 2020 resided in VPNs, cloud-based services, and other tech designed to give users access to employer networks remotely.

    ‘Many VPN gateway devices remained unpatched during 2020,’ according to Ars Technica, at the height of the work-from-home trend.

    Breakingpoint Bad says they reported the flaw to several VPN providers, but don’t expect all VPNs will be updated to resolve the vulnerability.

    ‘Our advice is to avoid VPNs if you’re trying to keep your information private from government entities, or something like that,’ Tolley told New Scientist 

    [ad_2]

    Previous articleSeptember number plate changes to make it easier for police to scan plate
    Next articleVictoria and David Beckham joined by daughter Harper for Inter Miami game

    LEAVE A REPLY

    Please enter your comment!
    Please enter your name here