Client-side Vulnerabilities in Commercial VPNs

TL;DR

This paper examines security flaws in commercial VPN client configurations across multiple platforms, revealing vulnerabilities that can compromise user privacy and suggesting mitigation strategies.

Contribution

It provides a detailed analysis of common VPN client setup flaws and their security implications, offering specific mitigation approaches.

Findings

VPN clients have configuration flaws exploitable by attackers

Attackers can strip encryption or bypass VPN authentication

User credentials can be stolen through vulnerabilities

Abstract

Internet users increasingly rely on commercial virtual private network (VPN) services to protect their security and privacy. The VPN services route the client's traffic over an encrypted tunnel to a VPN gateway in the cloud. Thus, they hide the client's real IP address from online services, and they also shield the user's connections from perceived threats in the access networks. In this paper, we study the security of such commercial VPN services. The focus is on how the client applications set up VPN tunnels, and how the service providers instruct users to configure generic client software. We analyze common VPN protocols and implementations on Windows, macOS and Ubuntu. We find that the VPN clients have various configuration flaws, which an attacker can exploit to strip off traffic encryption or to bypass authentication of the VPN gateway. In some cases, the attacker can also steal the VPN user's username and password. We suggest ways to mitigate each of the discovered vulnerabilities.