ExpressVPN on Tuesday launched a suite of open source tools that let users test for vulnerabilities that can compromise privacy and security in virtual private networks.
Released under an open source MIT License, they are the first-ever public tools to allow automated testing for leaks on VPNs, the company said. The tools are written primarily in Python, and available for download on Github.
Originally used to conduct automated regression testing on ExpressVPN’s own software, the tools allow users to check VPNs that might not be providing complete protection to users, said Harold Li, vice president at ExpressVPN.
“We believe the VPN industry as a whole has a duty to properly protect users who place their trust in our products,” he told LinuxInsider. “We’re open-sourcing these tools as part of an initiative to encourage the entire VPN industry to join us in investing in and identifying and addressing leaks.”
One-third of the participants in a November study Propeller Insights conducted for ExpressVPN cited cybersecurity as a reason to use a VPN, particularly to protect against cybersnooping over WiFi connections. About 25 percent cited the use of VPNs to make sure their ISP did not see their cyberactivity, while 15 percent said they used VPNs to protect against government surveillance.
The VPN testing tools can detect a wide range of potential leaks, the company said, including the exposure of an IP address during a WebRTC leak. Also, users’ Web activity can be exposed when they switch from a wireless to a wired connection. Unencrypted data can leak when VPN software crashes or cannot reach its server.
ExpressVPN claims to be one the largest consumer virtual private networks in the world, providing one of the largest platforms for a variety of operating systems, including Windows, iOS, Android, Linux and others.
The company offers extensions for a variety of browsers, including Chrome, Firefox and Safari. It supports VPN configurations for a variety of gaming consoles, including Xbox and PlayStation, as well as streaming video platforms such as Amazon’s Fire TV, Apple TV and others.
Trust but Verify
VPNs allow users to use private networks rather than untrusted public networks, but they still can leave them vulnerable in certain situations, said Andrew Howard, chief technology officer at Kudelski Security.
“They cannot protect data once it leaves the VPN, and administrators should not assume that a VPN connection to their network is safe, even if properly authenticated,” he told LinuxInsider.
There are opportunities for data leakage when setting up or tearing down VPNs, and leaks can happen during connection drops or software crashes, Howard said.
VPNs can help mitigate the probability of successful attacks leveraging any Wifi vulnerability, including man-in-the-middle attacks, said Leigh Ann Galloway, cybersecurity resilience lead at Positive Technologies.
“VPN technology itself is quite well thought out from the point of information security, but the specific implementations might have flaws, just like any software,” she told LinuxInsider.
Vulnerabilities have been found in implementations like OpenVPN, Galloway noted.
In terms of data transfer, there can be leaks during implementation, she added. Leaks also might be attributable to certain software settings or applied encryption algorithms, depending upon stability, length of keys, and methods of key generation.