Port Shadow VPN attacks: who's at risk and how to stay safe

Data Breach
Image Credit: Shutterstock (Image credit: Shutterstock)

A team of researchers is warning of a vulnerability affecting VPN platforms which could make users "less secure in specific situations."

What's been dubbed "Port Shadow" can allow attackers to act as a man-in-the-middle between you and the VPN server you're connected to. This potentially enables them to intercept and decrypt your VPN traffic, redirect your DNS request, and deanonymize your connection.

Before entering into panic mode, you should know that the best VPN services aren't vulnerable as they are precisely built to prevent third parties from exploiting this flaw. 

The new Port Shadow study builds on a 2021 research, in fact, meaning VPN developers were largely already aware of such a flaw. What's certain, though, is that the new paper shed yet another light on the importance of getting reputable VPN software.

The dangers of Port Shadow

As researchers explain in their paper, widely used VPN protocols (OpenVPN, WireGuard, OpenConnect) can be vulnerable to Port Shadow when they lack the right software infrastructure to prevent this flaw from being exploited. This virtually makes people using an ill-crafted VPN service actually less secure instead.

"Port Shadow attacks pose significant risks to user privacy," Karolis Kaciulis, Leading System Engineer at Surfshark, told me. "The primary threat is that malicious actors can intercept a user’s DNS requests and inject harmful DNS records in response. This manipulation allows attackers to redirect user traffic and could lead to further attacks."

This is because the Port Shadow flaw enables threat actors to target other users connected to the same VPN servers as they share a common port to establish the connection. 

Similarly when browsing a public Wi-Fi without the right protections in place, if the source port selection isn't randomized, it can ultimately enable third parties to snoop on your unencrypted data, scan your port entry, or even hijack your connection.

Despite how dangerous it all sounds, however, some VPN developers argue that exploiting this vulnerability isn't as easy in practice as it looks on paper.

"The attack vector is not very practical given it requires the attacker to know both the public IP address of the victim and the specific VPN server they are connected to," Samuele Kaplun, Ecosystem & VPN Lead at Proton VPN. "Given these requirements, we would be surprised if it was successfully exploited in the wild."

Lauren Hendry Parsons, ExpressVPN's spokesperson, shares a similar view. "Multiple preconditions would have to be met for anyone to be vulnerable to it," she said. "The way we assess it is that it’s essentially a lab-only attack: in theory, you could extend it to any basic VPN provider, but in reality, it's difficult to pull off, and it's not really clear what it gains you."  

How to protect against Port Shadow attacks

As mentioned earlier, the most reputable VPN providers have already built their software to successfully neutralize Port Shadow attacks. 

As the research paper reads: "We found that some VPN services operating over OpenVPN or WireGuard protocols are not susceptible to CVE-2021-3773, including NordVPN, ExpressVPN, and Surfshark." Alongside these services, also Proton confirmed to TechRadar that its VPN is not affected by it.

So, what are these VPN providers doing to protect you from Port Shadow attacks? And, most importantly, what can you do to boost your VPN security even more?

Using a reputable VPN 

The most secure VPN providers are built to ensure different entry and exit IP addresses. This aims, as Kaplun from Proton VPN explains, to prevent the creation of connection tracking among IPs, which is essential for carrying on the attack.

Commenting on this point, Parsons from Express said: "This is an industry best practice - it enhances user privacy by preventing websites or ISPs from tying activity to specific individuals."

Did you know?

VPN

(Image credit: Shutterstock)

A virtual private network (VPN) is security software that encrypts your internet connections to boost your online privacy by rerouting the data leaving your device into a secure encrypted tunnel. As you need to connect to one of its servers to use the service, a VPN also spoofs your real IP address allowing you to access otherwise geo-restricted content. 

Look out for a reliable kill switch 

A VPN kill switch is an additional layer of security to look out for as it's designed to protect your data from accidental exposure and leaks. Let's imagine your VPN connection drops, this advanced security feature will block your internet access until the connection to the VPN server is restored. 

The good news is that all the top-rated VPNs offer this tool, with our favorite NordVPN boasting two kill switches for doubling down on its protection. So, make sure to keep the kill switch option active at all times.

Get a Dedicated IP for extra safety

Considering that a shared IP is a key factor for being vulnerable to Port Shadow attacks, you could even completely cut off the problem directly from the source by getting a dedicated IP. As the name suggests, this indicates an address that only you will ever use - a security option offered by many providers generally for an extra fee.

It is worth reminding you that, while it can further mitigate the risk, a dedicated IP isn't strictly needed if you're using a trustworthy VPN. As NordVPN commented when I asked, "Our customers are safe regardless."

Disclaimer

We test and review VPN services in the context of legal recreational uses. For example:

1. Accessing a service from another country (subject to the terms and conditions of that service).

2. Protecting your online security and strengthening your online privacy when abroad.

We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.

Chiara Castro
Senior Staff Writer

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up. She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com