VPN services and its security

Discussion in 'privacy technology' started by 142395, Jan 28, 2018.

  1. 142395

    142395 Guest

    I posted a link from MRG in a thread but want to go further.

    While there're many good articles about VPN service & privacy, few about VPN & security (in narrow definition). We almost know nothing about each service's security, not just about firewall. Some services such as PIA, Mullvad, PP, ExpressVPN seems to have a kind of bug bounty but they're not transparent. It seems Express' bounty doesn't work as there's no mention in their release notes. Some, such as encrypt.me & HIDE.ME, had 3rd party audit but still not very clear about what it means. Audit may have privacy concern, but think about it...if a service has decent security but logs everything and sell that then they're no use for privacy minder. But if a service really doesn't log but their server have poor security thus any bad actor can easily compromise them, then there's no real privacy. (IIRC, some commercial VPN services deploy NIPS, it might be more serious privacy concern.)

    AirVPN's response to heartbleed was quick and good, but not sure for other services, nor other vulnerability if any (BTW all of best VPNs recommended in Wilders support public audit of OpenSSL or OpenVPN!).

    OVPN explain well about their physical security, but AFAIK no others do this. WhattheSEVER says they use OpenBSD which is by my knowledge probably the most secure OS, but I know little about what OS, software, hardware, network security measure etc. other service use. Any input will be appreciated.

    As I don't take security-through-anonymity much, I think these services should be more transparent. If someone tried to probe security of a service, it can be illegal unless there's pre-agreement so it will be hard to know, but bad guys won't care.
     
  2. 142395

    142395 Guest

    I found Mullvad uses Qubes. Also Cryptstorm says they employed GRSecurity but apparently they don't purchase it after they went private (correct me if I'm wrong). They also mention some OS hardening.
     
  3. DrearyMushroom

    DrearyMushroom Registered Member

    Joined:
    Sep 9, 2017
    Posts:
    27
    Location:
    The Internet
    I think these are good points. All it takes is one one screw up for a bad actor to get into the system and make it all insecure.

    I look around at the staff of the VPN - can you find them on LinkedIn, do they have a good reputation? I usually stay away from ones where you can’t find some established names behind the staff. All it takes is one sloppy dude to make a mistake. The answer is yes with Mullvad and iVPN, not so much with AirVPN.
     
  4. 142395

    142395 Guest

    Yup, reputation is one important aspect, but I'm more frustrated not to be able to find many technical details about each VPN service. Cryptostorm might be exception, tho their way of explanation is terrible, especially PJ (aka Douglas Spink)'s one is just too much verbose with much of unneeded frills. I guess Air seconds to CS, tho most of them are only found on forums or other place, not their official website.
     
  5. 142395

    142395 Guest

    Tunnelbear have 3rd party audit, according to Reddit wiki.
     
  6. 142395

    142395 Guest

    Not sure if it's worth making new topic, but anyway:

    A flaw in Hotspot Shield can expose VPN users, locations
    http://www.zdnet.com/article/privacy-flaw-in-hotspot-shield-can-identify-users-locations/
     
  7. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,251
    Location:
    Southern Rocky Mountains USA
    Google Maps will put a router's location in its location database. The link below doesn't state it but I'm pretty sure the MAC address as well as the SSID will be used. I can't see the location system being very good without it.

    https://support.google.com/maps/answer/1725632?hl=en

    I found this out because I was getting my real location from the Browserleaks.com geolocation test through a dual hop vpn tunnel with the first hop in the router and the second using OpenVPN client software. If you ever use Google Earth or Google Maps through a router and identify a home location, that router's MAC address will be added to the Google location database with the location entered.

    I don't like the opt out method of adding a tag to the SSID but at least you can have your home router opt out of this but you have no control over a public hotspot's router. And Google isn't the only location service out there so just opting out of their location service won't solve the problem. You need to use a VPN in a VM to get around this. I can see the possibility of coding a light virtualization of just a network adapter to do this but I don't know of any code out there that does this. In my home setup, I daisy chain routers so the VPNs have a different MAC address from the ISP router. With Tomato firmware, I can periodically randomize the MAC address of each wifi SSID and each Wifi SSID is for a different VPN.
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Yeah, this is a huge gotcha. If you want your location obscured, you can never share it.
     
  9. 142395

    142395 Guest

    Google uses MAC address or BSSID when its SSID don't include '_nomap'. Their self regulation is they require 2 different addresses/BSSIDs for geolocation collection, which nowadays won't work as most user use multi SSID and it often uses different (usually sequential) BSSIDs. And they no more need Google car as almost everyone use Android, Chromebook, or G-something which can catch your wifi and have geolocation functionality.

    A possible mitigation is weaken/limit power of wifi so that only your family can manage to catch, but once you invite a guest who has Android and it's game over. As you said, '_nomap' can never be real solution as they're not only one to collect geolocation. So probably, as you said, only real solution will be either separate or randomize MAC which I haven't tried, but it's good to know. Thankfully, it seems DD-WRT also supports this.
     
  10. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,445
    Location:
    Slovenia
    Is there any way to find out if specific router has been added to their database?
     
  11. 142395

    142395 Guest

    Do you mean DD-WRT? I'm not sure and their official database is useless. Maybe just Googling is better. It has been long time after final stable release and most of new router supported are by so-called Kong build, which are variation of base DD-WRT built and tested by Kong, one of the old members of DD-WRT devs.
     
  12. 142395

    142395 Guest

  13. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,445
    Location:
    Slovenia
    No, I meant Google's database, for routers that don't have _nomap in SSID and were mapped using location services.
     
  14. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    See https://developers.google.com/maps/documentation/geolocation/intro

     
  15. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,445
    Location:
    Slovenia
    Thnx @mirimir
    I see that that option is more suited for developers. I was hoping that there would be easier way for end user to check if their hardware is in database.
     
  16. 142395

    142395 Guest

    @Minimalist Sorry for misinterpretation. I thought there was an unofficial website somewhere to check if your MAC is registered, but I hesitated and didn't enter mine (even after checked source).
     
  17. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,251
    Location:
    Southern Rocky Mountains USA
    It's been a while since I dealt with this but now I remember that Google Location will check the SSIDs of all wifi connections that are seen not just the one connected to so the only real solution is a VM. If your neighbors router is in the database, it will be used. I had the location test fail due to a router around a 1/4 mile away. I could turn off wifi for the ISP router and write a script that randomizes the Mac addresses of the VPN channels on the daisy chained router every time it boots but that would only partially help. The only real solution is a completely virtualized system that has no access to host wifi.
     
  18. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Maybe don't have WiFi on VM hosts?
     
  19. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,251
    Location:
    Southern Rocky Mountains USA
    Yes, that would be another solution for home setups but not for mobile connections. Due to limited home bandwidth, I sometimes take a laptop to a cafe that has a 100mbs connection. Even in my home setup it would be a bit inconvenient to have everything on ethernet cables but I do keep some devices off wifi.
     
  20. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    747
  21. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Cool! Please say more. What OS? Will you share source code? Or maybe setup a website?
     
  22. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    747
    :)

    Any OS/Platform that has support for Qt5: Linux, Windows, Mac, Raspberry Pi etc...

    I don't really know. I was hoping maybe getting lil money from this ($3 per binary + zipped source code + support maybe? Or something like that....).

    But there is one difficulty: Because it uses Google API it also needs API key. And Google set's daily limits how many requests each API key holder can make
    https://developers.google.com/maps/documentation/geolocation/usage-limits

    Obviously, I can't give my own API key away, because then it would run out at notime.

    So anyone wanting to use this thing would have to create their own API key by first having a valid gmail address and then API key from here:
    https://developers.google.com/maps/documentation/geolocation/get-api-key
     
  23. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,832
    Location:
    UK
    It will be interesting to see if GDPR has anything to say about this - the lack of consent is obvious, particularly when reported by 3rd parties. But I guess, legally they will claim all this stuff is publicly broadcast, so tough. At least they nominally have a get-out with _nomap, but this is no real redress when devices 1/4 mile away nail you whether you like it or not..

    @Stefan Froberg - astonishing work, very interesting. I think I'm in a mixture of awe and shock for what's available really.

    Just to make sure I understand the situation @MisterB , if I connect via wireless on the host, but then chain (say) a pfsense VM with a client VM, that's OK on the client?
     
  24. 142395

    142395 Guest

    Sorry for noob question, but aren't Wifi MAC address or BSSID, router's WAN MAC address, and its ethernet LAN MAC address all different? (I think it depends on router tho.) If they're different, am I safe?
    Even more basic question, assuming your router (or your neighbor's?) is already in Google's database, then how exactly it is detected on browserleak.com which is over the internet...do they execute some script to know that? I'm really noob about network.
     
  25. Stefan Froberg

    Stefan Froberg Registered Member

    Joined:
    Jul 30, 2014
    Posts:
    747
    Each network interface device, be it WLAN (WiFI), WWAN (3G/4G Modem) or plain boring LAN (ethernet) has an unique serial numer that is also called MAC.

    BSSID (not to be confused with ESSID) is the MAC address of your router WLAN interface.
    So yes, you are right, WiFI router MAC = BSSID.
    MAC address consist of 3 byte vendor prefix followed by 3 byte unique identifier.

    The factory MAC address is hardcoded but you can spoof it easily with software (my laptop does it automatically for all interfaces with macchanger linux program).
    For example, here is my spoofed WWAN MAC
    00:1A:51:02:25:0A

    00:1A:51 is the vendor prefix for Alfred Mann Foundation while the 02:25:0A is a unique identifier.
    So I guess, if you had your WiFI MAC spoofed at the time Google car went close by your router, you should be safe.
    Other than that, I have no clue how Google actually finds anything with just WiFI MAC address alone ? o_O
    (probably they save your latitude & longitude and use your WiFI MAC as key to that, which would make it useless if you say, move to some other place)

    EDIT: Or maybe they just keep updating it with Google car....haven't seen one since 2014 tought....
    EDIT2: Ah, but smartphones a totally different story than routers, you don't need Google car for that to harwest their WiFi MAC's .....
     
    Last edited: Feb 25, 2018
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.