Millions of BitTorrent users who have chosen to hide their identities through a VPN service may not be as anonymous as they would like to be. Due to a huge security flaw, those who use IPv6 in combination with a PPTP-based VPN such as Ipredator are broadcasting information linking to their real IP-address on BitTorrent.
As pressure from anti-piracy outfits on governments to implement stricter copyright laws increases, millions of file-sharers have decided to protect their privacy by going anonymous. In Sweden alone an estimated 500,000 Internet subscribers are hiding their identities. Many of these use PPTP-based VPNs such as The Pirate Bay’s Ipredator or Relakks.
Thus far, these services were believed to adequately hide a user’s IP-address from people they connect to in BitTorrent swarms, but this is not always the case. At the Telecomix Cipher conference a security flaw was revealed that allows third parties to find the true IP-address of someone connected through a VPN.
The security risk is caused by a lethal combination of IPv6 and PPTP-based VPN services, which are very common. IPv6 is the Internet protocol that will succeed IPv4. The protocol is promoted by Windows 7 and Vista, among others, and most people are using it without even realizing it.
The technical details of the vulnerability, explained in this talk (see below), reveal that the true IP-address of users using IPv6 can be easily traced. Even worse, it seems that the Swedish Anti-piracy Bureau may already be using this flaw to gather data on ‘anonymous’ BitTorrent users.
The vulnerability is not limited to BitTorrent either. It can expose people who believe that they are hiding their real IP-address through nearly every connection.
In addition to this gaping hole in VPNs such as Ipredator and Relakks, the talk exposes several other weaknesses from a privacy point of view. Among other things, it is fairly easy to find MAC-addresses and computer names of people who use the same VPN.
The people who run Ipredator are aware of the issue, and TorrentFreak was informed that their users will be notified about the problem. Other VPNs using the same system may want to do the same. From our understanding of the issue, turning IPv6 off should alleviate the threat and make users fully anonymous again.