Search Icon
Submissions

VPNInspector: Systematic Investigation of the VPN Ecosystem

Reethika Ramesh (University of Michigan), Leonid Evdokimov (Independent), Diwen Xue (University of Michigan), Roya Ensafi (University of Michigan)

Use of Virtual Private Networks (VPNs) has been growing rapidly due to increased public awareness of online risks to privacy and security. This growth has fueled the VPN ecosystem to expand into a multi-billion dollar industry that sees a frequent influx of new VPN providers. Nevertheless, the VPN ecosystem remains severely understudied, and the limited research concerning VPNs has relied on laborious manual processes. There is a need for a solution which empowers researchers and average users to investigate their VPN providers.

In this work, we present VPNalyzer, a system that enables systematic, semi-automated investigation into the VPN ecosystem. We develop a cross-platform tool with a comprehensive measurement test suite containing 15 measurements that test for aspects of service, security and privacy essentials, misconfigurations, and leakages. Using the VPNalyzer tool, we conduct the largest investigation into 80 desktop VPNs.

Our investigation reveals several previously unreported findings highlighting key issues and implementation shortcomings in the VPN ecosystem. We find evidence of traffic leaks during tunnel failure in 26 VPN providers, which seriously risk exposing sensitive user data. We are the first to measure and detect DNS leaks during tunnel failure, which we observe in eight providers. Overall, we find a majority of providers lack IPv6 support, and five even leak IPv6 traffic to the user's ISP. We observe that adoption of practices we consider security and privacy essentials is not uniform across VPN providers. Multiple providers share underlying infrastructure, and 29 providers use third-party, public DNS services. Alarmingly, 10 VPN providers leak traffic even in their most secure configuration, with six leaking data even with a "kill switch" feature enabled. Our results highlight the effectiveness of VPNalyzer in finding issues even in the most popular VPN providers. Consumer Reports used VPNalyzer in their efforts to create data-driven recommendations for their users.

Paper
Video

View More Papers

Demo #9: Dynamic Time Warping as a Tool for...

Mars Rayno (Colorado State University) and Jeremy Daily (Colorado State University)

Read More

ProvTalk: Towards Interpretable Multi-level Provenance Analysis in Networking Functions...

Azadeh Tabiban (CIISE, Concordia University, Montreal, QC, Canada), Heyang Zhao (CIISE, Concordia University, Montreal, QC, Canada), Yosr Jarraya (Ericsson Security Research, Ericsson Canada, Montreal, QC, Canada), Makan Pourzandi (Ericsson Security Research, Ericsson Canada, Montreal, QC, Canada), Mengyuan Zhang (Department of Computing, The Hong Kong Polytechnic University, China), Lingyu Wang (CIISE, Concordia University, Montreal, QC, Canada)

Read More

Privacy in Urban Sensing with Instrumented Fleets, Using Air...

Ismi Abidi (IIT Delhi), Ishan Nangia (MPI-SWS), Paarijaat Aditya (Nokia Bell Labs), Rijurekha Sen (IIT Delhi)

Read More

Speeding Dumbo: Pushing Asynchronous BFT Closer to Practice

Bingyong Guo (Institute of Software, Chinese Academy of Sciences), Yuan Lu (Institute of Software Chinese Academy of Sciences), Zhenliang Lu (The University of Sydney), Qiang Tang (The University of Sydney), jing xu (Institute of Software, Chinese Academy of Sciences), Zhenfeng Zhang (Institute of Software, Chinese Academy of Sciences)

Read More