Your VPN may be worthless
An easily fixable flaw exposes your private online activity.
You may have heard that VPN provider Perfect Privacy found a massive security hole in most services -- one can de-anonymizes users, thus rendering it useless.
Two weeks have passed and most affected providers still haven't fixed the problem, called "Port Fail."
Perfect Privacy told Engadget via email, "We have not tested this again after the fact so we can make no definite statement on the current number of affected VPN providers." This means that the majority of VPN users may as well not be using one, which is bad news for people whose safety and security rely on keeping their IP address private -- or those who just want to safely use public wi-fi.
Perfect Privacy urges "anyone using a VPN service to ask their support desk whether this issue has been fixed."
With a VPN (Virtual Private Network) the user's Internet connection travels encrypted from computer to VPN server; from there the user's connection travels unencrypted to their final destination (a website). This way, websites only see the VPN's IP address and not the user's.
Perfect Privacy tested a sampling of nine top VPNs and notified the five it found to be vulnerable before releasing the news November 26th. But only Ovpn.to and nVPN changed the settings necessary to block Port Fail attacks.
Popular service Private Internet Access (PIA) initially told press it had fixed the issue, but then recanted its statement of a fix. PIA currently has 3093 servers in 35 locations across 24 countries. Lifehacker lists PIA as number one in its "Five Best VPN Service providers," along with TorGuard, which also allows port forwarding but is not vulnerable to the attack.
The fixes are distressingly simple, and were published on Perfect Privacy's blog along with the November disclosure. The company said via email, "The easiest fix for affected VPN providers is to add firewall rules when a client connects that blocks access from client real IP to port forwardings that are not his own." They explained, "The other option is to assign different entry and exit IPs."
Perfect Privacy's blog post said its customers are not affected by Port Fail.
When targeted by the "Port Fail" attack, the victim has no way of knowing they've lost their anonymity.
For Port Fail to work, the attacker uses the same VPN provider as the target and simply sets up port forwarding. It doesn't matter if the victim has port forwarding turned on or not.
The attacker can get the real IP addresses of any user on the same VPN service by getting the victim to click a link; it then redirects the victim to a port under the attacker's control.
What can attackers find out about you by getting your real IP address with Port Fail?
They can identify your internet service provider (ISP, such as Comcast or Sonic.net). Your ISP knows exactly who you are, and while they're usually reluctant to share that information, they are required to divulge your identity and personal information if they get a court order to do so.
Your IP address reveals where you're located on a map, usually down to the neighborhood, so the Port Fail attacker will know that, too. Port Fail also allows attackers to see which websites you visit, and how often.
It's not a stretch to think that Port Fail would be a gem in the private spying stashes of the RIAA or MPAA, as it apparently uncloaks torrent users quite easily.
It may already be in the NSA's arsenal. The US government already has legal standing for cyberspying on people outside the US, and possible they're willing to go on someone merely being perceived as coming from outside the US -- like when someone uses a foreign VPN.
Last February the Justice Department proposed a new kind of warrant for domestic VPN spying, for "remote access" to devices and desktops when their locations are hidden "through technological means."
Appreciate that people are aware and ask about this! We don't do port forwarding and are therefore not affected https://t.co/FvWq3amiEv
— F-Secure Freedome (@FreedomeVPN) November 27, 2015
There are hundreds of VPN services worldwide; users should find out if the service they use provides port forwarding and ask whether Port Fail has been fixed. We recommend that users direct anyone with questions to Perfect Privacy's remediation post.
After that, if your VPN service hasn't closed the Port Fail hole... It's time for a new VPN.
Update: As we mentioned, PIA backtracked on its initial fix after saying that it had patched the Port Fail hole. The company has since clarified that it inadvertently left a different door open to attackers in its desktop client, but has since patched that problem, too. "To fix this, we are releasing updated VPN apps to prevent any leaks. We highly recommend users update to v.52 (or later) of the client." It added that it has already pushed updates to existing clients, so you can either download it from the application or get the patch here.
