The fallout from the OpenSSL Heartbleed bug continues. Recently, personal virtual private network provider Mullvad said it was able to extract private encryption keys for OpenVPN from a test server.
The group behind OpenVPN had previously warned that OpenVPN could be vulnerable to attack since the open source VPN software uses OpenSSL by default. But Sweden-based Mullvad's tests appear to be the first proof-of-concept proving that extracting private keys is actually possible.
"We have successfully extracted private key material multiple times from an OpenVPN server by exploiting the Heartbleed Bug," Mullvad co-founder Fredrik Strömberg wrote on Hacker News. "The material we found was sufficient for us to recreate the private key and impersonate the server."
Vulnerability to Heartbleed is particularly damaging for users since VPNs are meant as an extra step to make sure your online communications are kept private. If attackers are able to extract the private keys and then impersonate the VPN server, it puts users' encrypted communications at risk.
As with all Heartbleed vulnerabilities, however, extracting information from a VPN server would take time and effort. Mullvad wouldn't say exactly how much data it had to gather to recreate the private keys in its tests. But the company did tell Ars Technica, which first reported on this story, that the exploit required more than 1 gigabyte of data but less than 10GB before it obtained the keys in full.
With Heartbleed leaking random data 64KB at a time, that means in Mullvad's case gathering the private keys required, at a minimum, more than 16,000 hits to the server. A number that should set off alarm bells for most IT admins.
Nevertheless, Mullvad's tests show the threat to providers using OpenVPN is real.
"Our exploit is decently weaponized...we believe it may severely impact those who have not already upgraded," Strömberg said in his Hacker News post. "You should assume that other teams with more nefarious purposes have already created weaponized exploits for OpenVPN."
Anyone who relies on a personal VPN service using OpenVPN should check with their provider to see if they're affected.