Hi, I recently found an academic paper showing how a new vulnerability within custom routers has been detected which allows an observer to determine which network activity stream belongs to specific devices connected to the router, it has proven a 100% success rate with zero false positives.
This isn’t anything to be massively worried about but it does give the ability to do targeted monitoring of somebody behind a VPN.
The whole paper is pretty interesting and gives a good view into the arms race between people who want privacy and people who want to work against those who want privacy. I have linked it below.
Fingerprinting VPNs with Custom Router
Firmware: A New Censorship Threat Model
Best viewed in Firefox/Tor so you can use the inbuilt PDF viewer.
I’m not quite sure what’s new here. It describes how statistics on the router itself can be used to prove that VPN is being used. I don’t understand the attack vector, to be honest.
VPN has never been about hiding the usage itself - but about encrypting the traffic sent through it.
And this paper is no match for shadowsocks or the like, as they have not been tested at all. Instead, the use of individual VPN servers was detected… on the router… that could have been done more easily.
I am in agreement. If someone really wanted to detect VPN usage, they could simply measure the entropy of the data payloads. And that can be performed pretty easily with commonly available open source tools. I am always more concerned about a link where someone says use this particular app to open this pdf file lol. No offense OP, but seriously this makes me automatically more skeptical.
I just said Firefox or Tor Browser since you don’t have to actually download the PDF file itself which I thought some users may prefer since PDFs can be used against a system which its downloaded to
Definitely was not implying that you were doing anything malicious - but if I were doing something malicious I might have made suggestions on how to access the pdf.
The issue is, the VPN client is connecting to the VPN Sever and the connection (tunnel) is permanent.
If I open my laptop and sync emails via IMAP4s, there is a load of 3 mb, let’s say sequence of 6000 packages. Than I want to see who of my business partners have birthday and visit linkedin via HTTPS, this results in a load of 20 mb (with all the ads) and 40000 packages.
I am secure, all connection is encrypted, although the router could profile me via DNS requests.
But if I am in a VPN the router sees one connection with 23 mb plus overhead and roundabout 46000 packages in a sequence… Do the router owner knows ‘this system is using a VPN’. And this can have more or less consequences in some organisations or states.
I don’t think the main goal of a GL-Inet router is to hide the VPN. There are more sophisticated solutions.
But since it is not a hole in the encryption or similar, I would say it is good to know, but nothing to worry in most use cases.
It sort of is to a point. If you are routing all network traffic between known hosts (or backhauling internet access), you can easily see that all of that hosts traffic goes straight to another known host, with no other non-local traffic going anywhere else. And you can see from the IP address that it is not local traffic. Over time, this is a very unlikely condition to exist outside of VPN usage. You can surmise that this is in fact vpn traffic. If you are split-tunneling you can do the same with subnet-based traffic. If all traffic to a subnet is encrypted then over time you can make the same assumption. In the case listed in the pdf, you will see that an authoritarian group doesn’t have to be 100% correct, they may be able to accept some amount of false positive at the expense of less false negatives.
I think it is not novel. I view this as a bit of a warning showing that you could still draw attention to what you are doing through the use of a VPN and that usage of the VPN itself could be the catalyst for a closer look. Agree, though, this is just not that useful lol.
