Tests indicate that every VPN product is vulnerable on at least one device, the researchers say. VPNs for iPhones, iPads, MacBooks, and macOS are extremely likely to be vulnerable, that a majority of VPNs on Windows and Linux are vulnerable, and that Android is the most secure with roughly one-quarter of VPN apps being vulnerable.

  • Em Adespoton
    link
    fedilink
    arrow-up
    31
    ·
    1 year ago

    I wish they’d been more specific in the general description; this is a local routing attack that can be applied against clients of public VPN services.

    For a moment I was worried about my personal VPN, which is not configured in a way that this abuse could happen.

    • jet@hackertalks.com
      link
      fedilink
      English
      arrow-up
      7
      ·
      edit-2
      1 year ago

      Traffic leaking has always been a concern when sitting up a VPN or any network infrastructure. Especially when you’re dealing with sensitive data. These concerns are old, and not sensational, new traffic leak discovered in local routing configuration of some VPN clients.

      The truly paranoid would have a always-on VPN, no traffic may go outside the VPN, defense in depth. A VM that can only talk to the VPN endpoint. You could use qubes to configure something bulletproof, mullvad even has an article explaining how to do this yourself.

      Just out of good hygiene I have leak checks in my computing systems. If they succeed it shuts everything down. Like if you open a browser it checks your external facing IP address. Imagine it’s pretty common for people.

      • Em Adespoton
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        Very few people have functional leak checking set up; personally, I think it should be a built-in OS level function.