VPN services have seen extreme growth in popularity in recent years, as concerns regarding online privacy continue to grow. Not only that, but the increase in censorship and geo-restrictions also caused many to start using these services.
Even so, every VPN user likes to believe that they are safe thanks to their privacy apps, which might not always be the case.
According to a recent report, a new flaw has been discovered that might allow hackers to hijack VPN connections of some devices. The vulnerable devices could allow hackers to inject arbitrary data payloads in Ipv4 and Ipv6 TCP streams, as security researchers report.
After discovering the vulnerability, researchers managed to follow it back to Linux distro markets, as well as the Linux kernel security team. Furthermore, the trace led to a number of other potentially affected systems, such as OpenVPN, WireGuard, and even Apple and Google.
The flaw is currently believed to be a danger for most Linux distributions, but also for OpenBSD, Android, Mac, iOS, and Unix-like OS’.
Details about the vulnerability
The flaw was reported by three Breakpointing Bad researchers from the University of New Mexico – Beau Kujath, William J. Tolley, and Jedidiah R. Crandall. Tolley then wrote a blog post in which he explained that the flaw exists on most Linux distros, but also on other Unix systems. The attacker who might aim at a network adjacent could then easily determine if the user is employing a VPN to connect to any website that is visited at that time.
He also explained that the team managed to hijack connections by determining the exact seq and ack numbers and counting encrypted packets.
Fortunately, the three researchers also reported that it is possible to fend off the attacks in several different ways. The first method is as simple as enabling reverse path filtering. Another option is to use encrypted packet timing and size, while the third solution is to use bogon filtering to filter fake IPs.
For now, researchers are withholding their in-depth analysis of the flaw. However, they will publish it as soon as the appropriate workaround is found, so that no one would be able to exploit the flaw.
Are VPNs still useful?
The discovery of such a serious flaw might be seen as a sign that VPNs are no longer capable of protecting people from online threats. However, according to Jake Moore, an online security specialist from ESET, this is not the case. In fact, he believes that VPNs still have a major role in data privacy, even though they were found to be flawed in such a way.
Of course, he notes that VPNs should only be considered one of the tools that a person would use in order to secure themselves online. Relying on a VPN to solve all of the online security issues is a bit unrealistic. Furthermore, Moore addressed other instances where VPN services were breached, but even so, his opinion of the VPNs’ role in online security did not change.
It is also worth noting that the majority of VPN users do not have to fear that this type of attack will be used against them. Still, extra caution and increased awareness are always welcome, as a user might end up being a part of an untargeted data breach. One example of this would be getting caught up in the man-in-the-middle attack, which is something that might happen when users connect on a public hotspot.
In other words, while VPNs were believed to be a proper security measure that could protect users who connect on a public Wi-Fi, this might not be the case anymore. At least until a fix for the vulnerability is found and implemented.
Still, in cases where 4G is offered, using it is much better from the privacy and security point of view than any public Wi-Fi. Of course, there are instances when the public hotspot is the only option that the user has, which is why C-Suite level personnel needs to improve the protection methods and ensure that the users will be safe in those situations as well.