Are virtual private networks actually private?
Jedidiah Crandall works to protect internet freedom and digital security
In countries where internet censorship and surveillance are government policy, online safety is crucial for at-risk users. Those who have a prominent online presence, like journalists, activists and politicians, can face dire consequences for simply browsing certain websites.
Virtual private networks, or VPNs, are designed to keep users’ data protected from surveillance, but for those whose lives can depend on their effectiveness, whether VPNs can do what they claim is of utmost importance.
The effectiveness of VPNs’ ability to protect users fuels the research of Jedidiah Crandall, an associate professor of computer science with a joint appointment in the School of Computing and Augmented Intelligence, part of the Ira A. Fulton Schools of Engineering at Arizona State University, and ASU’s Biodesign Center for Biocomputing, Security and Society.
Crandall explains that VPNs conceal your internet protocol, or IP, address by linking it to a different server than your own, making it seem as though you’re accessing the internet outside of your normal network.
“VPNs were originally designed to get into a secure network, but companies have repurposed them so you can escape a restrictive internet service provider you don’t trust and access a free and safe one instead,” Crandall says. “So, the way people use VPNs today is kind of backwards.”
Crandall notes this access is helpful when users are worried about their browsing data being monitored though their internet service provider, or ISP, or when users are in a country that censors their internet activity.
Resources like OpenVPN, a leading global private network and cybersecurity company and the most popular resource for commercial VPN services, boast access to tools that quickly and easily connect to private networks and safeguard assets. Crandall’s research aims to debunk claims of privacy and expose whether VPNs may create a false sense of security for their users.
“We’re really just asking the fundamental questions like, ‘When you repurpose VPNs in this way, do they actually have the security properties that people expect?’” he says, reiterating his work’s focus on at-risk users who face severe consequences from censorship and surveillance policies. “The first part of the research that we did was looking at the VPN tunnel itself, which is an encrypted tunnel between the VPN server and the client, to see what kind of damage attackers can do from there.”
To discover how attacks can be made, Crandall and a group of fellow researchers simulated a series of attacks from two potential threat paths: client-side, or direct attacks on the user’s devices, and server-side, or attacks on the VPN server accessed by the user’s device, or the VPN tunnel. The group detailed their findings in a paper titled “Blind In/On-Path Attacks and Applications to VPNs.”
The team concluded that traffic can still be attacked from the tunnel in the same ways as if VPN were not being used, with attackers able to redirect connections and serve malware, which is what users believe VPN protects them from.
Looking at the threat of an attack as a possibility and not simply a hypothetical problem, Crandall collaborated with a team of researchers — including colleagues at the University of Michigan and Merit Network — on a paper titled “OpenVPN is Open to VPN Fingerprinting” for the 2022 USENIX Security Symposium.
The research addresses how VPN adoption has seen steady growth due to increased public awareness of privacy and surveillance threats and how some governments are attempting to restrict access by identifying connections using deep packet inspection, or DPI, technology, which is commonly used for online eavesdropping and censorship.
The research team’s efforts won the symposium’s Distinguished Paper Award and first place in the 2022 Internet Defense Prize competition, sponsored by Meta. As part of the prize, Meta awarded the team $110,000 to continue the research.
“I was happy to be able to contribute to this work, but a lot of the credit goes to the team at the University of Michigan, which really spearheaded this research,” Crandall says. “A big part of this work is trying to set the standards of how to bring together different stakeholders so that everyone from the VPN providers to the users has the same expectations, but we’re also trying to define what those expectations should be.”
Crandall, his University of Michigan research partner, Roya Ensafi, and Michael Kallitsis of Merit Network secured a grant of $1.2 million from the National Science Foundation to expand their broader research of the VPN ecosystem. The grant enables them to devote attention to aspects of VPN security and privacy that are in practice but remain severely understudied and unvetted.
“For people around the world, there can be a lot at stake when VPN providers market with false claims about their services. Our research exposed how VPN-based services, including the ones marketing their VPN service as ‘invisible’ and ‘unblockable,’ can be effectively blocked with little collateral damage,” says Ensafi, an assistant professor of electrical engineering and computer science. “Jed is one of the leading internet censorship researchers who has been focusing on network interference since 2005, so he has been instrumental in moving this research forward.”
For people around the world, there can be a lot at stake when VPN providers market with false claims about their services. Our research exposed how VPN-based services, including the ones marketing their VPN service as ‘invisible’ and ‘unblockable,’ can be effectively blocked with little collateral damage.
— Roya Ensafi
Assistant professor of electrical engineering and computer science, University of Michigan
Prior to joining the faculty at the University Michigan, Ensafi began her research partnership with Crandall while she was his doctoral student at the University of New Mexico, where she drew on her experience living with strict internet censorship in Iran to inspire their work.
“I really credit Jed for his guidance and partnership in this research,” she says of her former adviser. “He’s a person who invests in students and sees their potential, even when they don’t see it themselves. I would not be the top-tier faculty member I am today without his advisement and mentorship.”
Outside of his work at ASU, Crandall collaborates with his current computer science doctoral students on projects as part of a research team they founded called Breakpointing Bad, a nonprofit group providing technical expertise and capabilities to populations whose digital rights are at risk. One of those students is Benjamin Mixon-Baca, both a doctoral student and graduate research assistant in the Biodesign Center for Biocomputing, Security and Society. Mixon-Baca has worked with Crandall since the nonprofit was founded in 2019.
“Jed thinks about problems in interesting ways and sees novel solutions unlike anyone I’ve worked with,” Mixon-Baca says. “He knows how to motivate people, solve problems and get a lot of interesting research accomplished. I’ve benefited from his supervision personally and professionally.”
As he looks to the future, Mixon-Baca sees a continued need for this research.
“As VPNs continue experiencing increased usage, repressive countries have developed some of the most sophisticated censorship and surveillance technology in response,” Mixon-Baca says. “This work is crucial to make progress toward understanding how these systems operate and developing defenses for attacks on the users who depend on VPNs.”