Attackers can unmask users hidden under a VPN connection. A vulnerability into how VPN providers deal with port forwarding exposes the real IP address of some users, say the network security experts from Perfect Privacy, a VPN provider.
According to their research, some conditions must be met for this to happen, but none of them is so out of the ordinary that attackers could not easily satisfy it.
Special conditions are needed for the attack to work
First, the VPN provider must allow users to enable port forwarding on their VPN account, which most do. Only the attacker must enable the port forwarding feature, not the victim.
The attacker must know the exit IP address of the victim, which can easily be acquired via public IRCs, torrent connections, or by tricking the user into accessing a website under the attacker’s control.
The last condition is that the attacker must set up a VPN account on the same provider as the victim, which is easily doable if the attacker knows the exit IP address.
The attack is possible due to an issue with the VPN’s internal routing table. If the attacker can make the victim access a resource (image embedded on a site) hosted on the same VPN server, due to the internal routing table and the port forwarding setting, the attacker can learn the victim’s real IP address.
Perfect Privacy says that it tested this attack scenario with nine of today’s biggest VPN providers, and five of them were vulnerable. They were notified of the issue so that they could start working on fixes.
VPN port forwarding issues affect all VPN protocols
Because the issue works on the lower network level of the OSI model, VPN protocols like OpenVPN, PPTP, or IPSec are inherently affected.
Perfect Privacy recommends that VPN providers use multiple IP addresses and allow incoming connections to IP1 to exit connections through IP2-IPx, while having port forwarding on IP2-IPx, not IP1. Basically, they should use a Man-in-the-Middle IP for port forwarding operations.
Additionally, VPN providers should also use a server-side firewall to block access from a client’s real IP to any port-forwarded connection that is not their own.
Since there are hundreds of VPN providers online, many of them are bound to be affected by this issue.
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.