VPN servers and private routers are part of over 4 million internet hosts vulnerable to hijack from cybercriminals.
Vulnerabilities in multiple tunneling protocols, including IPIP and GRE, allow attackers to gain access to affected internet hosts, perform anonymous attacks, and gain unauthorized network access.
It doesn't appear as though any servers belonging to the best VPNs have been affected, but the threat to VPN servers worldwide and people's home routers is concerning.
What happened?
The vulnerabilities were discovered by Top10VPN alongside security researcher Mathy Vanhoef. A large-scale internet scan identified 4.26 million open tunneling hosts at risk, which included VPN servers, ISP home routers, mobile network gateways, and core internet routers.
The type of vulnerability concerns tunneling packets. This is when data is moved from one network to another and can be encrypted to hide the nature of the data being moved.
In this case, the internet hosts accept tunneling packets without verifying the sender's identity. Hackers can send data to attack and gain access to victim's devices or networks.
Vulnerable hosts can be abused as one-way proxies, which enables the possibility of anonymous attacks. Many hosts also allow source IP spoofing to avoid detection, and attacks involving denial-of-service (DoS) techniques and DNS spoofing are also possible.
Results of top10vpn.com's scan identified IPIP, IP6IP6, GRE, GRE6, 4in6, and 6in4 as vulnerable tunneling protocols, with China, France, Japan, Brazil, and the US the most affected countries.
The problem is these protocols don't authenticate or encrypt traffic and in order for them to be secured – they must be combined with Internet Protocol Security (IPsec).
The total number of vulnerable hosts was 4,262,893 and 1,858,892 of those were spoofing-capable.
In the report, top10vpn.com's Simon Migliano said "all vulnerable hosts can be hijacked to perform anonymous attacks, as the outer packet headers containing an attacker’s real IP address are stripped. These attacks are easily traceable to the compromised host, however, which can then be secured."
"Spoofing-capable hosts can have any IP address as the source address in the inner packet, so not only does an attacker remain anonymous, but the compromised host also becomes much harder to discover and secure."
The impact on VPNs
We must look at the impact on VPNs more closely and determine its threat. IPIP and IP6IP6 are commonly used in Linux-based routing and can also be used by the OpenVPN protocol.
IPIP and IP6IP6 have no authentication or encryption of their own, but OpenVPN can use it, alongside its own encryption, to provide an extra layer of abstraction and flexibility.
At least 1,365 likely VPN servers were identified as vulnerable in top10vpn.com's scans but the true total is likely to be far greater, with 46,000 being estimated.
Of the 1,365, at least 130 servers appeared to be connected to consumer VPN services. As mentioned, none of the leading VPN providers were listed.
17 vulnerable servers associated with Singapore-based AoxVPN were identified. The VPN has over one million active Android installations and is also available on Windows, iOS, and macOS. Several of its associated domains were identified, including its website host aoxvpn.com.
AoxVPN seemed to be the only active VPN service affected, but seemingly defunct VPNs, with servers still online, were also picked up. Domains related to Indonesian-based AirFalcon VPN, and Hong Kong-based AmanVPN were found to accept unauthenticated tunneling traffic.
The GRE protocol was identified as affecting approximately 123 VPN domains connected to businesses or organizations. 171 hosts in total were affected, with 6in4, IPIP, and 4in6 causing problems for the remaining 48.
These 171 servers were present in 33 countries. 39 were located in the US, 31 in China, 28 in Hong Kong, 15 in Canada, and 12 in France.
Is my home router at risk?
Unless you live in France and your Internet Service Provider (ISP) is "Free", then no it isn't – at least not from this vulnerability.
But 17% of all vulnerable hosts (726,194) were a result of a misconfiguration in French ISP Free's home routers.
Routers with the host name *.fbxo.proxad.net accepted unauthenticated plaintext 6in4 tunneling packets from any source.
This leaves customer's home routers vulnerable and open to DoS attacks, as well as having devices connected to their home network targeted.
Smart devices, such as security cameras or home automation systems, connected to the router could be at risk, alongside any insecure devices.
Top10vpn.com reported that Free has secured its affected routers after being made aware of the vulnerability. However it is still worth clarifying this if you are a Free customer.
Free was not the only ISP affected as vulnerabilities affected Japanese ISP Softbank, Irish ISP Eircom Ltd, and Colombian and Chilean ISP Telmex.
How to protect yourself
The vast majority of people won't be affected by these vulnerabilities, but knowing how to defend yourself is still important.
On the host side of things, ensuring only trusted tunneling packets are accepted is a good first step, and you should ensure you're protected by encryption and IPsec. You can also consider using a more secure protocol, such as WireGuard.
If you have control over your network then you can implement traffic filtering. You can perform Deep Packet Inspection (DPI) for malicious packets as well as blocking all unencrypted packets.
On a consumer level, make sure you are using a trusted and secure VPN provider. We would recommend any of the providers on our best VPN page, with many offering class-leading privacy and secure networks and servers.
A reliable VPN will encrypt traffic and protect your devices from third-parties and hackers. It will be regularly updated to ensure you are receiving the best protection possible at all times.
Many VPNs offer protection for multiple devices on one plan, with some even protecting an unlimited number of devices. All the devices in your home can therefore benefit from VPN protection, giving you peace of mind.
If you want protection at the source or you have a lot of smart devices that you can't install a VPN on, then consider a router VPN. You can install a VPN on a router using specific software and this will protect every device on your home network.
This task isn't the simplest, but if you still want to protect your home network then ExpressVPN's Aircove router is an option. The hardware is available to purchase and comes pre-loaded with ExpressVPN software, so there is no need to struggle installing a VPN on your current router. ExpressVPN ranks third in our VPN list and is the best VPN for beginners, so you can be sure of class-leading protection.
Disclaimer
We test and review VPN services in the context of legal recreational uses. For example: 1. Accessing a service from another country (subject to the terms and conditions of that service). 2. Protecting your online security and strengthening your online privacy when abroad. We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.
