Client-Side Vulnerabilities in Commercial VPNs

Tutkimustuotos: Artikkeli kirjassa/konferenssijulkaisussaConference contributionScientificvertaisarvioitu


Internet users increasingly rely on commercial virtual private network (VPN) services to protect their security and privacy. The VPN services route the client’s traffic over an encrypted tunnel to a VPN gateway in the cloud. Thus, they hide the client’s real IP address from online services, and they also shield the user’s connections from perceived threats in the access networks. In this paper, we study the security of such commercial VPN services. The focus is on how the client applications set up VPN tunnels, and how the service providers instruct users to configure generic client software. We analyze common VPN protocols and implementations on Windows, macOS and Ubuntu. We find that the VPN clients have various configuration flaws, which an attacker can exploit to strip off traffic encryption or to bypass authentication of the VPN gateway. In some cases, the attacker can also steal the VPN user’s username and password. We suggest ways to mitigate each of the discovered vulnerabilities.
OtsikkoSecure IT Systems
Alaotsikko24th Nordic Conference, NordSec 2019, Aalborg, Denmark, November 18–20, 2019, Proceedings
ISBN (elektroninen)978-3-030-35055-0
DOI - pysyväislinkit
TilaJulkaistu - 2019
OKM-julkaisutyyppiA4 Artikkeli konferenssijulkaisuussa
TapahtumaNordic Conference on Secure IT Systems - Aalborg, Tanska
Kesto: 18 marraskuuta 201920 marraskuuta 2019
Konferenssinumero: 24


NimiLecture Notes in Computer Science
ISSN (painettu)0302-9743
ISSN (elektroninen)1611-3349


ConferenceNordic Conference on Secure IT Systems

Sormenjälki Sukella tutkimusaiheisiin 'Client-Side Vulnerabilities in Commercial VPNs'. Ne muodostavat yhdessä ainutlaatuisen sormenjäljen.

  • Siteeraa tätä

    Rao, S., Bui, T., Antikainen, M., & Aura, T. (2019). Client-Side Vulnerabilities in Commercial VPNs. teoksessa Secure IT Systems: 24th Nordic Conference, NordSec 2019, Aalborg, Denmark, November 18–20, 2019, Proceedings (Sivut 103-119). (Lecture Notes in Computer Science; Vuosikerta 11875).