In recent years, many Internet users have turned to Virtual Private Network (VPN) services as a way to protect their privacy and personal browsing history from prying eyes. But now it looks like these very same VPN services might not be nearly as trustworthy as once thought. A high-profile hack of NordVPN, one of the most popular VPN services in the world, has raised some serious questions about just how safe these VPN services really are.
Details of the NordVPN hack
The more details that emerge about the NordVPN attack, the more questions it raises. First of all, there’s the matter of the timing of the attack, which NordVPN acknowledges took place in March 2018. It was not until recently, however, that NordVPN divulged the nature of the attack – and that was only after rumors started to emerge that a hack had, indeed, taken place. In fact, some rumors circulated that cryptographic keys needed to access NordVPN servers were now available for sale on the Dark Web. For its part, NordVPN says that it found out about the breach a few months ago, and had waited all this time to tell the public because it was conducting a super high-level security review of all of its IT infrastructure.
And then there’s the matter of what actually got hacked, and what information might have been available as a result of this hack. Here again there is a bit of drama involved. For example, NordVPN insists that hackers only were able to access a single server in Finland, and that all other servers in its network are completely, 100% safe. Moreover, NordVPN insists that no personal information or user data was divulged, no personal browsing history or user activity logs were made available to the prying eyes of hackers, and that the situation is now under control. NordVPN says it has ended its contract with its server provider in Finland, beefed up its security guidelines, and conducted a thorough review of all of its IT assets to make sure that such an attack could never happen again.
IT security experts weigh in on the NordVPN attack
But that’s not what IT security experts are saying. They directly contradict the “zero logs” assertion of NordVPN, and suggest that some personal browsing information might indeed have been snooped upon. Moreover, they suggest that a full remote compromise of the server provider’s systems took place, with hackers exploiting an insecure remote management system, thereby enabling hackers to gain access to the server remotely. In short, a security flaw in the remote management system left vulnerable the server of NordVPN in ways that are still being felt today.
Some have even compared the VPN hack to someone stealing a car and taking it for a joyride before abandoning it later. Yes, the car is safely back in the possession of the original owner, but there are a lot of questions how it was allowed to be stolen in the first place, or what people did to your car while they were driving it around. In a worst-case scenario, hackers gained control of private cryptographic keys, enabling them to set up fake NordVPN servers masquerading as real NordVPN servers. Users would think that they were using real VPN services, but instead, all of their personal information would have been acquired by third party hackers.
A new wave of attacks on VPN services
By the very nature of the services they provide, VPN services are understandably very hush-hush about any security intrusions or data breaches, any of which might raise questions in the minds of Internet users. After all, would you seriously consider using any VPN services if you knew that they were only marginally more secure than your standard ISP?
And, yet, stories of hacks of other VPN services have started to trickle out into the public mainstream or into tech blog posts. Other VPN services that have been hacked or breached include TorGuard and Viking VPN. What makes the hack of NordVPN so troubling is that it was a favorite of many savvy tech users. Tech publications such as CNET, Tech Radar and PC Mag routinely rated it among the very best VPN services available. So it’s not the case that one of the third-rate VPN services got hacked – this was an industry leader.
Tyler Reguly, manager of security R&D at Tripwire, explains why NordVPN has become so popular, and why it is now such a visible attack target: “NordVPN runs one of the bigger online advertising programs with YouTube content creators that I’ve seen. They even run a page to make it simple for any content creator to become an advertiser with them — https://nordvpn.com/influencers/. This takes it a step further than most of the other advertisers that I’ve seen frequently featured on larger channels. They have worked with major creators like PewDiePie, Philip DeFranco, and The King of Random… some of the largest channels on YouTube. They offer incredibly cheap 3 year plans that I’m sure plenty of these channel followers have signed up for, which would, I suspect translate into a very large user base.”
VPN service vs. VPN service
Where things get even stranger is how the various VPN services appear to be engaged in a very twisted rivalry, where they are taking steps to embarrass other VPN services by divulging hacks and breaches. All of those rumors making their way into the media? They might just be the result of other VPN services leaking the information to the public in order to embarrass a rival.
Take for example, the strange saga around NordVPN and TorGuard, both of which now admit to have been hacked. TorGuard has actually brought a court case against NordVPN, alleging that NordVPN tried to blackmail the company by raising security issues. Moreover, TorGuard alleges that NordVPN carried out DDoS attacks against TorGuard services, presumably as a form of retribution for not paying the blackmail or as a warning of what could happen later.
Steps that can be taken to protect VPN services in the future
So what can VPN services do to prevent becoming the victim of a data breach or a man-in-the-middle attack? For one, they need to make sure that full remote access of servers cannot take place. Secondly, they need to ensure that enterprising hackers cannot exploit usernames and passwords. Thirdly, they need to upgrade their security standards to limit any potential for attackers to gain access to their systems.
Kevin Bocek, vice president of security strategy and threat intelligence at machine identity protection provider Venafi, warns about the potential for future VPN attacks if these steps are not taken: “These breaches will become more common in the future. It is imperative organizations have the agility to automatically replace every key and certificate that may have been exposed in breaches. Quickly replacing machine identities is the reliable way to ensure privacy and security in a world where businesses run and depend on the cloud. This capability is especially critical in large enterprises that have tens of thousands of machine identities that must be protected against attackers.”
Certainly, NordVPN deserves some credit for the actions it has taken in the wake of the data breach of an insecure remote management system. Creating a new bug bounty program, for example, is a notable step towards beefing up its security practices. However, it is deeply concerning that NordVPN took so long to report the data breach, and that the company appears to have covered up the severity of the breach. Going forward, VPN services will need to take their security practices to the next level if they hope to maintain the trust of Internet users.