Nothing on the internet is 100% safe from hackers. That’s rule number one of understanding cybersecurity. And that applies to VPNs as much as anything else. So when threats are reported to VPN networks, it’s only right that we take notice and try to understand how serious they are. VPNs specialize in providing a much higher, or even watertight level of privacy for their users. But a recent attack named Voracle has cast doubt on these claims.
Unveiled in summer 2018, Voracle could have major implications for VPN users, so let’s look in more detail about what it is, and how VPNs can respond to ensure the security they promise.
Introducing the OpenVPN Voracle attack: is it serious?
Voracle first came to light in early August 2018, when a researcher named Ahamed Nafeez made a presentation to Black Hat and DEF CON Convention in Las Vegas. As Nafeez reported, Voracle offers a way for attackers to get hold of details about the HTTP traffic flowing through VPNs.
In theory, this isn’t supposed to be possible. All HTTP traffic passing through VPNs should be encrypted from source to destination, protecting the anonymity of web users. But Voracle casts that protection into doubt.
According to Nafeez, any site using HTTP is vulnerable, enabling hackers to procure details about who is visiting specific sites, and what they do there. But there are some qualifications.
For one thing, targets would need to be using OpenVPN based systems. Not all VPNs rely on OpenVPN (though many do). And they would also need to be “lured” to a specific HTTP site that the hacker controls. However, as anyone familiar with high-level phishing and hijacking will tell you, that isn’t always a big technical obstacle.
How the Voracle attack would work
Voracle works by targeting the way data is encrypted when it is sent via OpenVPN systems. When data is transmitted via OpenVPN, it has to be compressed in a certain way before being encrypted via TLS and passing through the VPN tunnel.
OpenVPN automatically compresses information before transmission, which helps to streamline its operation. But how the data is compressed creates the vulnerability that Voracle exploits.
Voracle is essentially a form of Man-in-the-Middle (MITM) attack. To carry out a Voracle attack, hackers would need to lure users to websites under their control.
When the user is in their clutches, hackers are able to insert plaintext data into the packets transmitted by their target. By delivering this payload to target users, they can effectively compare data packets before and after compression.
Using the values obtained by making this comparison, hackers can potentially derive the encryption keys needed to gain both session cookies and session data from people visiting their site.
This is highly technical, but it’s not beyond the reach of many hackers. As Nafeez showed in Las Vegas, using the Voracle exploit, seven digit OpenVPN session cookies can be secured in under a minute.
What could be the consequences of a Voracle attack?
The consequences of a successful Voracle attack could be severe for individuals, businesses and – potentially – society as a whole. With OpenVPN session cookies in their possession, hackers can hijack the user’s session.
This effectively gives them full control over the user’s VPN connection for as long as the attacker goes undetected. In some cases, the attacker could change the user’s password, holding their account at ransom or just acquiring it for their purposes.
If the attacker wishes, they could also use their position to spy on the activities of the target, harvesting valuable information for phishing attacks. And there are obvious security implications for state intrusion and corporate espionage.
Then there are the deeper consequences of this kind of exploit. Many people have come to rely on VPNs to protect their identities online, and attacks like Voracle dent that trust, causing many to doubt whether true privacy is possible.
However, as we will see, individuals can shield themselves against this style of attack, and VPNs have also taken action to protect their systems (and reputations). The security world has responded, and Voracle has mostly turned into a learning experience for VPN providers and users alike.
How have the major VPNs responded to the Voracle attack?
All major VPNs, as well as the architects of OpenVPN, were notified of the exploit as soon as it was identified. The OpenVPN Project did not respond proactively. Instead of changing their software to avoid automatic compression, they simply focused on issuing warnings to VPN developers and users, leading to criticisms that they could have gone further.
Thankfully, many VPNs have gone the extra mile. Seeing the threats posed to their business models by a Voracle attack, they moved quickly to offer solutions. Here are a few responses from key VPNs.
Almost straight after Nafeez finished talking at DEF CON, ExpressVPN’s team began solving the issue. A couple of days after, they published this blog outlining how they had arrived at a workable solution. Basically, ExpressVPN took the simplest and best option available – choosing to disable OpenVPN compression. They haven’t updated their apps to give users additional security options, but this seems to be upcoming in the future, giving users more flexibility about how they use OpenVPN.
A few days after the Voracle attack was outlined in Las Vegas, NordVPN put out a blog claiming that their VPN was safe from similar exploits. In response to the Nafeez’s revelations, they described a few sensible security precautions for customers to remember when using VPNs. But more importantly, they also disabled OpenVPN compression. They then tested their servers to see if disabling compression had damaged performance, satisfying themselves that it resulted in no discernable drawbacks for VPN users. So, according to their tech team, NordVPN users are “immune.” At least to this particular MITM attack.
Torguard also realized how serious an OpenVPN Voracle attack could be for their business and took swift action as soon as the exploit became public in August 2018. As with other major VPNs, Torguard decided to abandon compression across all of its servers. Again, they chose not to update the software of their apps, but may provide patches in the future for users who want to safely restore compression. But at the moment, they have taken the nuclear option, just to be on the safe side.
These are three of the elite-tier VPNs. But as you probably know, there are hundreds of VPNs around, and most use OpenVPN in some form. So if you are using a service and hasn’t researched their response to Voracle, be sure to do so.