With a VPN (Virtual Private Network) the user's Internet connection travels encrypted from computer to VPN server; from there the user's connection travels unencrypted to their final destination (a website). This way, websites only see the VPN's IP address and not the user's.
Perfect Privacy tested a sampling of nine top VPNs and notified the five it found to be vulnerable before releasing the news November 26th. But only Ovpn.to and nVPN changed the settings necessary to block Port Fail attacks.
Popular service Private Internet Access (PIA) initially told press it had fixed the issue, but then recanted its statement of a fix. PIA currently has 3093 servers in 35 locations across 24 countries. Lifehacker lists PIA as number one in its "Five Best VPN Service providers," along with TorGuard, which also allows port forwarding but is not vulnerable to the attack.
The fixes are distressingly simple, and were published on Perfect Privacy's blog along with the November disclosure. The company said via email, "The easiest fix for affected VPN providers is to add firewall rules when a client connects that blocks access from client real IP to port forwardings that are not his own." They explained, "The other option is to assign different entry and exit IPs."
Perfect Privacy's blog post said its customers are not affected by Port Fail.
When targeted by the "Port Fail" attack, the victim has no way of knowing they've lost their anonymity.
For Port Fail to work, the attacker uses the same VPN provider as the target and simply sets up port forwarding. It doesn't matter if the victim has port forwarding turned on or not.
The attacker can get the real IP addresses of any user on the same VPN service by getting the victim to click a link; it then redirects the victim to a port under the attacker's control.
What can attackers find out about you by getting your real IP address with Port Fail?
They can identify your internet service provider (ISP, such as Comcast or Sonic.net). Your ISP knows exactly who you are, and while they're usually reluctant to share that information, they are required to divulge your identity and personal information if they get a court order to do so.
Your IP address reveals where you're located on a map, usually down to the neighborhood, so the Port Fail attacker will know that, too. Port Fail also allows attackers to see which websites you visit, and how often.
It's not a stretch to think that Port Fail would be a gem in the private spying stashes of the RIAA or MPAA, as it apparently uncloaks torrent users quite easily.
It may already be in the NSA's arsenal. The US government already has legal standing for cyberspying on people outside the US, and possible they're willing to go on someone merely being perceived as coming from outside the US -- like when someone uses a foreign VPN.
Last February the Justice Department proposed a new kind of warrant for domestic VPN spying, for "remote access" to devices and desktops when their locations are hidden "through technological means."
There are hundreds of VPN services worldwide; users should find out if the service they use provides port forwarding and ask whether Port Fail has been fixed. We recommend that users direct anyone with questions to Perfect Privacy's remediation post.
After that, if your VPN service hasn't closed the Port Fail hole... It's time for a new VPN.
Update: As we mentioned, PIA backtracked on its initial fix after saying that it had patched the Port Fail hole. The company has since clarified that it inadvertently left a different door open to attackers in its desktop client, but has since patched that problem, too. "To fix this, we are releasing updated VPN apps to prevent any leaks. We highly recommend users update to v.52 (or later) of the client." It added that it has already pushed updates to existing clients, so you can either download it from the application or get the patch here.