New fingerprinting vulnerability in VPN's?

Hi, I recently found an academic paper showing how a new vulnerability within custom routers has been detected which allows an observer to determine which network activity stream belongs to specific devices connected to the router, it has proven a 100% success rate with zero false positives.

This isn’t anything to be massively worried about but it does give the ability to do targeted monitoring of somebody behind a VPN.

The whole paper is pretty interesting and gives a good view into the arms race between people who want privacy and people who want to work against those who want privacy. I have linked it below.

Fingerprinting VPNs with Custom Router
Firmware: A New Censorship Threat Model

Best viewed in Firefox/Tor so you can use the inbuilt PDF viewer.

(Hosted by CensorBib

I’m not quite sure what’s new here. It describes how statistics on the router itself can be used to prove that VPN is being used. I don’t understand the attack vector, to be honest.

VPN has never been about hiding the usage itself - but about encrypting the traffic sent through it.

And this paper is no match for shadowsocks or the like, as they have not been tested at all. Instead, the use of individual VPN servers was detected… on the router… that could have been done more easily.

Or am I misunderstanding something fundamental?

I am in agreement. If someone really wanted to detect VPN usage, they could simply measure the entropy of the data payloads. And that can be performed pretty easily with commonly available open source tools. I am always more concerned about a link where someone says use this particular app to open this pdf file lol. No offense OP, but seriously this makes me automatically more skeptical.

I just said Firefox or Tor Browser since you don’t have to actually download the PDF file itself which I thought some users may prefer since PDFs can be used against a system which its downloaded to

Definitely was not implying that you were doing anything malicious - but if I were doing something malicious I might have made suggestions on how to access the pdf. :sunglasses:

The issue is, the VPN client is connecting to the VPN Sever and the connection (tunnel) is permanent.
If I open my laptop and sync emails via IMAP4s, there is a load of 3 mb, let’s say sequence of 6000 packages. Than I want to see who of my business partners have birthday and visit linkedin via HTTPS, this results in a load of 20 mb (with all the ads) and 40000 packages.
I am secure, all connection is encrypted, although the router could profile me via DNS requests.

But if I am in a VPN the router sees one connection with 23 mb plus overhead and roundabout 46000 packages in a sequence… Do the router owner knows ‘this system is using a VPN’. And this can have more or less consequences in some organisations or states.

I don’t think the main goal of a GL-Inet router is to hide the VPN. There are more sophisticated solutions.
But since it is not a hole in the encryption or similar, I would say it is good to know, but nothing to worry in most use cases.

Gladly that this isnt true for WireGuard.

It sort of is to a point. If you are routing all network traffic between known hosts (or backhauling internet access), you can easily see that all of that hosts traffic goes straight to another known host, with no other non-local traffic going anywhere else. And you can see from the IP address that it is not local traffic. Over time, this is a very unlikely condition to exist outside of VPN usage. You can surmise that this is in fact vpn traffic. If you are split-tunneling you can do the same with subnet-based traffic. If all traffic to a subnet is encrypted then over time you can make the same assumption. In the case listed in the pdf, you will see that an authoritarian group doesn’t have to be 100% correct, they may be able to accept some amount of false positive at the expense of less false negatives.

Tbh I still don’t get whats the new thingy is. Of course your ISP can detect VPN by looking into every IP package. You don’t even need DPI for it.

I thing I misinterpret the study somehow because it would be totally useless to do a study about something that obvious.

I think it is not novel. I view this as a bit of a warning showing that you could still draw attention to what you are doing through the use of a VPN and that usage of the VPN itself could be the catalyst for a closer look. Agree, though, this is just not that useful lol.

1 Like

Then it would be just like lots of studies I’ve seen in my time, by people going for a PhD. :wink:

Sadly, usually they get it!

1 Like

Would doing multiple activities at once through the same VPN be enough to create sufficient fuzz to throw off any form of timing & size analysis?

I’ve always seen VPN as pretty bland in terms of how much investigative attention it could gain since every youtuber and his dog is giving away 97% off nordvpn codes and loads of people use them for big data transfers like netflix from different countries and torrent downloads

The study is to detect the use of a VPN. I feel like if you wanted to mask the VPN use against timing and size analysis, it will take a lot of work. The “fuzzing” you describe would need to take place outside of the VPN. You would really need to be able to hide the VPN traffic within the bulk of other traffic. One of the potential issues with VPN is the amount of upload traffic when using a VPN will likely be a little higher than standard traffic due to sessioning with the VPN itself. This may or may not be significant and would depend at least partly on the VPN technology (ipsec/ikev2, openvpn, wireguard, etc.).

The biggest issue, if you cannot hide the traffic in plain sight, is that the bulk of your comms will be back and forth from the VPN endpoint. That itself can make it pretty easy to see that a VPN may be in use. Then pair that with the other methods of detection, you can ascertain what kind of VPN it is, what the endpoint IPs are, and perhaps even monitor for split tunnel traffic, if the client is configured for that, to see what other sites they are hitting (updates for the client would give this away).

It is very difficult to effectively hide this traffic and it will likely required a much lower throughput of VPN traffic

What can be done against someone using a multihop wireguard VPN config? At router level obviously

Like I said, this fingerprinting is only to see that someone is using a VPN. It is not meant to decrypt traffic. Even with a multi-hop, you will see a long string of UDP to one or multiple hosts. If you can capture the initiating packet, you can see the public key being sent and surmise that this is a wireguard connection.