We’ve seen recent reporting that implies PIA is vulnerable to the ‘VORACLE’ exploit. From our internal investigation, we are not vulnerable as compression is not enabled on the Private Internet Access service.
Compression was disabled on the 26th December 2014 within the server configuration which supersedes the local configuration and will overrule potential settings presented by the configuration file.
This prevents the VORACLE exploit from occurring as according to the researcher’s slides and results, compression must be enabled for the attack to be used against a VPN service.
To confirm that compression was disabled from the server-side, we checked the configuration settings from the OpenVPN command line (with verb 4 enabled) to show the exact push statement disabling it:
“Mon Aug 13 16:12:59 2018 us=472321 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 188.8.131.52,dhcp-option DNS 184.108.40.206,ping 10,comp-lzo no,route 10.31.10.1,topology net30,ifconfig 10.31.10.6 10.31.10.5,auth-token'”
We also confirmed that our Mobile platforms (Android and iOS) are also superseded by the server configuration and do not allow compression.
We are in contact with the researcher and will keep you updated if we see any evidence to the contrary. Additionally, we will endeavour to make sure any such reporting around this in relation to Private Internet Access is correct. For clarity;
“The list of VPN providers on my slides were just to help the audience understand the kind of vpns that the talk was dealing with. Not that all of those vpns were vulnerable. In fact, there are many VPN providers using OpenVpn and they could have this. This is why I worked with the OpenVPN team directly. Their usage [guidelines] now clearly talk about the security issues when compression is enabled."
- Ahamed Nafeez
As always, we would like to thank the researcher, and all security researchers, for helping expose issues in security software and making end users safer.