Share this post

Grrr… IPv6 and DNS Vulnerabilities

We’ve received lots of questions from customers, journalists and bloggers about a recent paper that was released which outlines two different vulnerabilities for commercial VPNs. The paper also tested different VPN services including TunnelBear against the vulnerabilities. Along with many of the companies, TunnelBear was listed as vulnerable to these attacks. Below is a summary of the actions we have already taken and will be taking to address the vulnerabilities.

It’s important to note that TunnelBear has been working on the long-term solution to these problems for quite awhile. However, this paper rightfully highlights the risks of these vulnerabilities and that our temporary solutions could and should have been rolled out sooner.

We will continue to update this blog post with the latest information and additional technical analysis.

Summary

There are two different vulnerabilities listed – IPv6 leakage and DNS Hijacking. The table below summarizes the vulnerabilities and our response.

IPv6 LeakageDNS Hijack
DescriptionBy falsely advertising IPv6 availability a malicious local network (e.g. Wi-Fi router) could redirect IPv6 traffic to take a path outside of the VPN tunnel By triggering a configuration change in your device network interface, a malicious local network device (e.g. Wi-Fi router) could redirect traffic to take the path outside of the VPN tunnel
RiskYour IPv6 traffic would not be going through the encrypted VPN tunnelOnce “hijacked” a malicious party could monitor a user’s DNS requests
TunnelBear ActionsiOS – No action required Windows – TunnelBear released an update which should temporarily block IPv6 traffic in March 2015 (version 2.3.13). OS X – TunnelBear is testing an update which blocks IPv6 traffic. Update imminent. Additional Network Changes In addition to app updates, we are adding an additional layer of IPv6 protection on our servers. The change will explicitly route all IPv6 traffic through the VPN tunnel where it will be blocked on the server. This will eliminate IPv6 vulnerability until full IPv6 support is rolled out. It will also protect legacy clients while they are updated. TunnelBear is rolling out a network change such that our DNS servers maintain the same address as our VPN servers. This will prevent the attack outlined in the paper as the conflicting DNS locations will cause the connection to fail in an obvious way to alert the user of such an attack.
User ActionsInstall updates as they become available, however all clients should be protected within the next 48 hours with server changes. No action required, a change to our network will prevent the DNS vulnerability within the next business week.
## Moving Forward

IPv6

To prevent any possible issues, IPv6 is now blocked on TunnelBear's clients and network.

DNS

The changes which have now rolled out on our network will prevent the attack outlined in the paper. Moving forward, we will continue development and integration of our own DNS servers with improved DNS security.

We welcome additional feedback from the paper authors and the community on the vulnerabilities. We will provide updates and additional information as it becomes available on this post.

Grizzly Regards,

Reference Article

A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients http://www.eecs.qmul.ac.uk/~hamed/papers/PETS2015VPN.pdf