Tool to analyze the security, privacy of VPNs wins first place for applied security research in 2022

VPNalyzer has revealed a number of shortcomings in the design and implementation of popular virtual private networks. The paper earned first prize at New York University's CSAW '22 Applied Research Competition.
Doctoral Student Reethika Ramesh at the New York University CSAW ’22 Applied Research Competition, along with two event judges, Boaz Gelbord and Kevin Boyles.

Internet users around the world rely on virtual private networks (VPNs) for privacy, security, and circumventing regional content blocks. But a series of studies at the University of Michigan have discovered that this trust may be misplaced – the VPN ecosystem is more complex than it first appears, and may suffer from a number of privacy and security vulnerabilities.

Called VPNalyzer, the desktop tool with a measurement test suite and its application in a market study led by doctoral student Reethika Ramesh and assistant professor Roya Ensafi won first place at the Applied Research Competition as part of New York University’s CSAW’22 Cybersecurity Games and Conference. Their paper, “VPNalyzer: Systematic Investigation of the VPN Ecosystem,” was first presented at the 2022 Network and Distributed System Symposium.

VPNalyzer enables systematic, semi-automated investigation into the VPN ecosystem. It comes packaged with a measurement test suite that identifies deficiencies in service, security and privacy essentials, as well as misconfigurations and leakages in a VPN’s operation. The tool was used in 2021 by Consumer Reports to rate popular consumer options on their effectiveness in these areas, and Ramesh is currently preparing the tool for a future desktop release.

“Our investigation reveals several previously unreported findings highlighting key issues and implementation shortcomings in the VPN ecosystem,” Ramesh writes. 

The team found evidence of traffic leaks during tunnel failure in 26 VPN providers, which risks exposing sensitive user data when the VPN tunnel fails for any reason. They were the first to measure and detect DNS leaks during a tunnel failure, observed in eight providers. And they found that a majority of providers lack support for the most recent version of the Internet Protocol (IPv6), and that five even leak IPv6 traffic to the user’s ISP.

A key finding in the report is that VPNs often fall short of their promised level of security even when they advertise additional protections. Ten VPN providers leaked traffic even in their most secure configuration, the team reports, with six leaking when a “kill switch” feature is enabled. This feature is meant to immediately terminate a user’s network connection if the VPN connection drops, often marketed as a fundamental security measure to prevent exposure of the user’s IP address or other sensitive information.

The focus of the CSAW Applied Research Competition is on security research that has a practical impact. The competition’s Best Paper Award assesses the top scholarly security research from the previous year.