VPNs are supposed to protect your privacy, but new research has uncovered a sophisticated way to exploit a user’s VPN activity to spy on and potentially hack their computers.
On Tuesday, a team of researchers presented a paper about a vulnerability called “port shadow,” which can affect some VPN services but not others.
“Our research reveals that using a VPN opens you up to similar attacks from other VPN users with whom you share your VPN server,” the researchers warned in a FAQ.
Don’t Miss These Prime Day Deals
*Deals are selected by our commerce team
At first glance, the attack seems scary. That’s because the research shows how a VPN can actually make a user less secure in specific situations. “When one connects to a privacy enhancing VPN server used by other users, one shares a public IP and ports with other users to anonymize one’s communications. Such resource sharing is by design but also makes the attacks possible,” the researchers wrote.
But in good news, the flaw doesn’t appear to be easy to exploit. And several VPN providers— including NordVPN, ExpressVPN, and SurfShark—are protected from the threat due to their server configurations.
The attack works by targeting a shared resource on VPN servers called the “connection tracking frameworks,” which are responsible for many VPN functions. This includes keeping tabs on user connections, routing web traffic, and masking the user’s real IP address.
“The connection tracking framework has a lot of control over how the VPN server sends and receives packets. More importantly, it is shared by all VPN clients connected to the VPN server and can be modified by any VPN client,” the researchers wrote in the FAQ. “This makes it possible for a malicious client to force the VPN server to reroute packets in various ways.”
(Credit: Citizen Lab)
To do so, the researchers developed techniques to create “collisions” in the VPN’s connection-tracking framework, which can manipulate the system. The result paves the way for a hacker to attack other users on the same VPN server, including snooping on their unencrypted data and re-routing them to malicious websites.
Attacking Connection Tracking Frameworks as used by Virtual Private Networks. (Credit: Citizen Lab)
That said, a hacker can only exploit the vulnerability under certain conditions: “The attacker knows the target’s public IP address; the attacker knows the VPN server IP; and, the VPN server’s entry and exit IP addresses are the same,” the researchers wrote.
As a result, the port shadow flaw appears better suited for a government or state-sponsored hacker to abuse since they’ll have more resources to uncover a user’s real IP address and the VPN servers they’ve been connecting to.
In addition, the research paper found that only “half” of the top 10 VPN providers tested are susceptible to the port shadow attack. That’s because some VPN services feature a “multi-hop” architecture that can protect from the vulnerability.
“NordVPN, Express, and Surfshark are configured such that the IP [address] you connect to is different than the IP your packets leave from, so there isn’t a collision of ports and IPs,” Benjamin Mixon-Baca, a co-author of the paper, tells PCMag.
In response, ExpressVPN said: “Our VPN servers use different entry and exit IP addresses, preventing the key conditions necessary for the attack described in the report. This is industry best practice—it enhances user privacy by preventing websites or ISPs from tying activity to specific individuals.”
Recommended by Our Editors
Meanwhile, NordVPN said: “We appreciate the work authors do to make an industry safer. However, we believe that generalizations are undermining the trust of VPN industry, especially meaning that not all services are affected by the vulnerability as noted in the paper.”
The researchers behind the port shadow flaw didn’t examine all VPN services but found the attack can affect VPN protocols, including OpenVPN, WireGuard, and OpenConnect. “Because the vulnerability is not part of the OpenVPN or WireGuard software stacks, their developers have little recourse regarding mitigations,” they added. However, switching to other protocols, such as Shadowsocks or Tor, can protect a user from the threat.
Mixon-Baca added that the flaw was originally disclosed in 2021 under the vulnerability CVE-2021-3773. However, the newly-released paper, which covers the full scope of the threat, wasn’t accepted until 2024. “We didn’t have the logistics in place for a more wide spread technical release at the time,” he said.
Mixon-Baca also noted: “We didn’t systematically test any of the major VPN providers because the attacks modify state on the server that could interfere with or cause issues for legitimate VPN clients.”
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.