Grrr… IPv6 and DNS Vulnerabilities

We’ve received lots of questions from customers, journalists and bloggers about a recent paper that was released which outlines two different vulnerabilities for commercial VPNs. The paper also tested different VPN services including TunnelBear against the vulnerabilities. Along with many of the companies, TunnelBear was listed as vulnerable to these attacks. Below is a summary of the actions we have already taken and will be taking to address the vulnerabilities.

It’s important to note that TunnelBear has been working on the long-term solution to these problems for quite awhile. However, this paper rightfully highlights the risks of these vulnerabilities and that our temporary solutions could and should have been rolled out sooner.

We will continue to update this blog post with the latest information and additional technical analysis.

Summary

There are two different vulnerabilities listed – IPv6 leakage and DNS Hijacking. The table below summarizes the vulnerabilities and our response.

**IPv6 Leakage****DNS Hijack**
**Description**By falsely advertising IPv6 availability a malicious local network (e.g. Wi-Fi router) could redirect IPv6 traffic to take a path outside of the VPN tunnel By triggering a configuration change in your device network interface, a malicious local network device (e.g. Wi-Fi router) could redirect traffic to take the path outside of the VPN tunnel
**Risk**Your IPv6 traffic would not be going through the encrypted VPN tunnelOnce “hijacked” a malicious party could monitor a user’s DNS requests
**TunnelBear Actions****iOS** – No action required **Windows** – TunnelBear released an update which should temporarily block IPv6 traffic in March 2015 (version 2.3.13). **OS X** – TunnelBear is testing an update which blocks IPv6 traffic. Update imminent. **Additional Network Changes** In addition to app updates, we are adding an additional layer of IPv6 protection on our servers. The change will explicitly route all IPv6 traffic through the VPN tunnel where it will be blocked on the server. This will eliminate IPv6 vulnerability until full IPv6 support is rolled out. It will also protect legacy clients while they are updated. TunnelBear is rolling out a network change such that our DNS servers maintain the same address as our VPN servers. This will prevent the attack outlined in the paper as the conflicting DNS locations will cause the connection to fail in an obvious way to alert the user of such an attack.
**User Actions**Install updates as they become available, however all clients should be protected within the next 48 hours with server changes. No action required, a change to our network will prevent the DNS vulnerability within the next business week.

Moving Forward

IPv6

The Internet is migrating from IPv4 to IPv6 and TunnelBear is migrating as well. While IPv6 will continue to be blocked in the short-term, we expect to offer full support for IPv6 with dual-stacks, both IPv4 and IPv6 soon. Migrating our network has taken longer than expected, which means we’ve had to make temporary updates to clients and servers to temporarily block unsecured IPv6 traffic.

DNS

The changes being rolled out on our network over the next week will prevent the attack outlined in the paper. Moving forward, we will continue development and integration of our own DNS servers with improved DNS security.

We welcome additional feedback from the paper authors and the community on the vulnerabilities. We will provide updates and additional information as it becomes available on this post.

Grizzly Regards,

Reference Article

A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients http://www.eecs.qmul.ac.uk/~hamed/papers/PETS2015VPN.pdf