Are virtual private networks actually private?

October 17, 2022

The ASU professor works to protect internet freedom and digital security

In countries where internet censorship and surveillance are part of government policy, online security is crucial for vulnerable users. Those who have a prominent online presence, such as journalists, activists, and politicians, can face dire consequences simply for browsing certain websites.

Virtual private networks, or VPNs, were designed to protect users’ data from surveillance, but for those whose lives may depend on their effectiveness, whether VPNs can do what they claim is of paramount importance.

The effectiveness of VPNs’ ability to protect users is fueling research by Jedidiah Crandall, an associate professor of computer science with a joint appointment in the School of Computing and Augmented Intelligence, part of the Ira A. Fulton Schools of Engineering at Arizona State University, and ASU’s Biodesign Center for Biocomputing, Security and Society.

Crandall explains that VPNs hide your internet protocol or IP address by associating it with a server other than your own, making it appear as if you are accessing the internet outside of your normal network.

“VPNs were originally designed to get on a secure network, but companies have repurposed them so you can escape a restrictive ISP that you don’t trust and access a free and secure one instead,” says Crandall. “So the way people are using VPNs today is kind of backwards.”

Crandall notes that this access is useful when users are concerned that their browsing data is being monitored by their internet service provider or ISP, or when users are in a country that censors their internet activity.

Resources like OpenVPN, a leading global private networking and cybersecurity company and the #1 resource for commercial VPN services, provide access to tools that quickly and easily connect to private networks and protect assets. Crandall’s research aims to refute claims about privacy and uncover whether VPNs can create a false sense of security in their users.

“We’re really just asking the basic questions like, ‘If you repurpose VPNs that way, do they actually have the security features that people expect?'” he says, reiterating his work’s focus on vulnerable users who face serious consequences are of censorship and surveillance policies. “The first part of our research was looking at the VPN tunnel itself, which is an encrypted tunnel between the VPN server and the client, to see what kind of damage attackers could do from there.”

To figure out how attacks can be carried out, Crandall and a group of researchers simulated a range of attacks from two potential threat paths: client-side, or direct attacks on the user’s devices, and server-side, or attacks on the VPN server accessed through the user’s device or the VPN tunnel. The group explained their findings in an article titled “Blind In/On-Path Attacks and Applications to VPNs.”

The team concluded that traffic coming out of the tunnel can still be attacked in the same way as if VPN were not used, with attackers being able to reroute connections and deliver malware that users believe VPN she protects.

Crandall viewed the threat of an attack as a possibility, not just a hypothetical problem, and worked with a team of researchers — including colleagues from the University of Michigan and Merit Network — on a paper titled “OpenVPN is Open to VPN Fingerprinting” for the 2022 USENIX Security Symposium.

The study looks at how VPN adoption has steadily increased due to increased public awareness of privacy and surveillance threats, and how some governments are attempting to restrict access by using Deep Packet Inspection, or DPI, technology to identify connections that Commonly used to eavesdrop on online services Censorship.

The research team’s efforts won the symposium’s Distinguished Paper Award and first place in the 2022 Internet Defense Prize competition sponsored by Meta. As part of the award, Meta granted the team $110,000 to continue the research.

“I was glad to contribute to this work, but much of the credit goes to the University of Michigan team who really spearheaded this research,” says Crandall. “A big part of this work is setting standards on how to bring different stakeholders together so everyone from VPN providers to users have the same expectations, but we’re also trying to define what those expectations should be. “

Crandall, his research partner at the University of Michigan, Roya Ensafi, and Michael Kallitsis of Merit Network secured a $1.2 million grant from the National Science Foundation to expand their broader exploration of the VPN ecosystem. The grant allows them to focus on aspects of VPN security and privacy that exist in practice but remain severely understaffed and unaudited.

“There can be a lot at stake for people around the world when VPN providers market their services with false claims. Our research has shown how VPN-based services, including those that market their VPN service as “invisible” and “unblockable,” can be effectively blocked with little collateral damage,” says Ensafi, assistant professor of electrical engineering and computer science.

“Jed is one of the leading Internet censorship researchers focusing on network disruption since 2005, so he’s been instrumental in moving this research forward.”

Our research has shown how VPN-based services, including those that market their VPN service as “invisible” and “unblockable,” can be effectively blocked with little collateral damage.

— Roya Ensafi, Assistant Professor of Electrical Engineering and Computer Science, University of Michigan

Before joining the University of Michigan faculty, Ensafi began her research partnership with Crandall when she was his graduate student at the University of New Mexico, where she used her experiences of living under strict internet censorship in Iran to inspire her work.

“I really owe Jed his leadership and partnership in this research,” she says of her former advisor. “He’s someone who invests in students and sees their potential, even if they don’t see it themselves. Without his guidance and mentoring, I would not be the senior faculty member I am today.”

Outside of his work at ASU, Crandall collaborates with his current computer science graduate students on projects as part of a research team they founded called Breakpointing Bad, a nonprofit group that provides technical expertise and skills to populations whose digital rights are at risk. One of those students is Benjamin Mixon-Baca, both a graduate student and research associate at the Biodesign Center for Biocomputing, Security and Society. Mixon-Baca has worked with Crandall since the non-profit organization was founded in 2019.

“Jed thinks about problems and sees new solutions in interesting ways, unlike anyone else I’ve worked with,” says Mixon-Baca. “He knows how to motivate people to solve problems and achieve many interesting research results. I have benefited personally and professionally from his mentorship.”

Looking ahead, Mixon-Baca sees an ongoing need for this research.

“As VPNs continue to rise in popularity, repressive countries have developed some of the most sophisticated censorship and surveillance technologies in response,” says Mixon-Baca. “This work is critical to making progress in understanding how these systems work and developing defenses against attacks on the users who rely on VPNs.”

Top photo courtesy of Shutterstock

Communication Specialist, Ira A. Fulton Schools of Engineering

602-543-1590[email protected]