Editorial Note: We earn a commission from partner links on Forbes Advisor. Commissions do not affect our editors’ opinions or evaluations.
A virtual private network can provide peace of mind by encrypting your activity on the internet and hiding your identity while you browse, which allows you to visit foreign websites and provides a more secure way to transmit private information.
But a new study has uncovered weaknesses that could allow your phone or computer to be tricked into leaking your online data input, known as “traffic,” before the traffic reaches the protected VPN tunnel.
In a paper presented at the USENIX Security Symposium on August 11, researchers from New York University, KU Leuven University in Belgium and NYU Abu Dhabi dubbed the VPN problem “TunnelCrack.”
And no matter what type of device you use, or what your VPN is, you could be at risk.
What Were the Findings?
“Our tests indicate that every VPN product is vulnerable on at least one device,” the researchers wrote. “We found that VPNs for iPhones, iPads, MacBooks, and macOS are extremely likely to be vulnerable, that a majority of VPNs on Windows and Linux are vulnerable, and that Android is the most secure with roughly one-quarter of VPN apps being vulnerable.”
The differences appear to have to do with the way the various operating systems are designed.
The testers confirmed their findings by running 248 experiments involving 67 VPN providers on Windows, macOS, iOS, Linux and Android.
Study co-author Mathy Vanhoef, a professor at KU Leuven, says researchers were able to run their tests without putting the public at risk. “We…used our own phones and own laptops, installed a lot of VPN apps you can find and then tested it,” he says, “and could basically attack ourselves in a lot of cases.”
Choose the VPN Plan that Works for You
Protect your Windows, Mac, iOS, Android, Linux devices, as well as gaming consoles, smart TVs, and routers with CyberGhost VPN.
How Does TunnelCrack Work?
Two types of vulnerabilities were discovered: LocalNet attacks and ServerIP attacks.
LocalNet attacks involve traffic sent to and from…