In late 2019, NordVPN, one of the leading world providers of virtual private networking services, confirmed their servers had been hacked, and the intruder had access to the server for about a month.
It seems like a no big deal as the cybercriminals were able to sniff traffic for only 30 days or so. However, you should bear in mind that NordVPN is one of the largest virtual private network providers, with supposedly millions of customers all over the world.
NordVPN only admitted the data breach after rumors started circulating around and not immediately after they discovered the breach.
Which raises two questions at once: Are virtual private networks secure enough to trust them with your private data? Are VPN providers transparent enough to trust that they will alert you if a data breach occurs? Let’s find out.
The World of Virtual Private Networks
The virtual private network market worldwide stood at $45 billion in 2014 and is forecast to nearly double to $70 billion in 2019.
What it means for end-users is that, in theory, VPN service providers are piling enough cash to develop their respective product and make it more secure.
The same applies to the adoption of best practices to not allow unauthorized access to their command-and-control centers and server management systems.
You see, a VPN works by rerouting your internet traffic through a private tunnel, encrypting it in the process. In other words, it should enhance a user’s security, and leave nothing exposed, or threatened. So, why are we writing this article?
The Shocking Hacking Incidents
Apparently, VPNs are susceptible to hacking, despite being marketed as ultimate security tools. Well, all it takes is one simple flow, and hackers will be all over the service.
NordVPN, which left an expired internal key exposed at one of their rented data centers and a hacker, then exploited an insecure remote management system left by the data center provider.
The service stated that the server did not contain any logs, user names and passwords were not accessed.
It also acknowledged that the attack is not new. In fact, it took place back in 2018, but not until recently, that NordVPN divulged the nature of the attack.
Also, there are rumors that the cryptographic keys needed to access NordVPN’s servers do still exist on the Dark Web. But the provider ensured everyone that no personal browsing history or user activity was made available to hackers.
Moreover, NordVPN says it has ended its contract with its servers’ provider in Finland, beefed up its security guidelines, and conducted whatever is needed so that this incident won’t be repeated again.
It’s now asking its customers to put their trust back in the service. NordVPN stated that this hack did not cause any damage. While this statement convinced some users, others felt that the hackers could decrypt some of the traffic.
What Did Experts Say?
Here’s a problem. How would any user put their faith back in a service when IT experts are going up against it? They contradict the No-logs policy of NordVPN.
They stated that some of the personal data might indeed have been made public. Moreover, they said that a full remote compromise of the server provider’s systems occurred, with hackers exploiting an insecure remote management system
In short, such a security flaw damaged NordVPN’s reputation in ways that are still felt today. NordVPN is one of the top services around the world. It’s the first time such a breach occurs with the provider, but it’s certainly not the first overall, among others.
The Avast Hack
The same thing happened with Avast, an antivirus company that also offers a VPN, which allowed cybercriminals with stolen credentials for a VPN service to connect to their internal network for months between May and October 2019.
It raises the very serious question of whether you can trust the very VPN service providers and not their software. Well, the hack was an apparent attempt to tamper with the company’s CCleaner product.
Back in 2017, hackers stole trade secrets from high-profile tech firms by rigging version 5.33 of CCleaner with well-hidden malware. This malware secretly collected system information on computers that had installed it.
According to Jaya Baloo, Avast Chief Information Security Officer (CISO).
“We do not know if this was the same actor as before. The user, whose credentials were apparently compromised, did not have domain admin privileges. However, through a successful privilege escalation, the actor managed to obtain domain admin privileges.”
Avast got rid of the hackers from its network on October 15th, 2019, by terminating the VPN profile. Moreover, it made a “clean update” to CCleaner that was signed with a new digital certificate.
Now, they’re promising that after all these precautions, they are confident that their CCleaner users are protected and unaffected.
The Sad Truth
No software is 100% free of bugs, really. Some bugs are critical; others are no more than a badly written code you can easily rectify without the bug causing any serious troubles.
The grave problem occurs when you have one or more critical bugs in the programming code or when you are not following the best cybersecurity practices to protect both your software and servers you use to run the software and transfer data.
A combination of both results in a devastating situation. An attacker can get access to your data but is also able to control how your VPN software works. The former happened at NordVPN, while the latter is the case with Avast.
The potential problem only worsens, as the majority of VPN providers tend not to disclose breaches occurring within their own systems.
You can easily understand them: Their core business is to keep your connections secure and your data private and admitting breaches in their software or server performance hurts their reputation badly. But it makes it more difficult for end-users to select and configure a reliable VPN service.
A Sadder Truth
Sometimes, you don’t have to worry about the VPN getting hacked. In fact, in some cases, the VPN could help hackers without the need for an effort, courtesy of DNS/IP leaks.
If the VPN is not credible enough, it might leak your data while connected to their servers. This results in your ISP or hackers being able to ‘see’ and monitor your online activity, despite having your traffic flowing through an encrypted tunnel.
As seen in the image above, the entities that are after your data are in the middle. If a leak occurs, they can learn and monitor anything you’re doing. Such leaks can compromise the following:
- All your requests.
- Your IP address.
- Date and time of day.
- Operating system.
- The Browser your using.
- Your Internet Service Provider.
- Your physical location.
To circumvent the issue, you should always run your connections through leak tests. However, to begin the process, try opting for a VPN that offers DNS and WebRTC leak protection.
This helps ensure that no such incident will occur, to begin with. Be careful what you choose as some VPNs are reported to leak information such as the ones below:
- Oxx VPN (free & paid version)
- Hola (free version)
- VPN.ht (paid version)
- Secure VPN (paid version)
- DotVPN (free version)
- Speedify (free version)
- Betternet (free version)
- Ivacy (free version)
- Touch VPN (paid version)
- Zenmate (free version)
- Ace VPN (paid version)
- AzireVPN (paid version)
- BTGuard (paid version)
- Ra4w VPN (paid version)
- VPN Gate (free version)
Always check your IP address. If it’s one provided by the VPN, no leaks are in place. However, if it shows your true IP address, that’s when you should be concerned.
The Unhackable VPN Myth
A good number of VPN providers claim their software is unhackable. Most of them are organizations that develop VPN software or VPN clients based on open-source code or VPN apps that run on Linux or Unix-like operating systems.
A popular myth goes around saying that you cannot hack a Linux-based system unless you are a very advanced hacker or a hacking group backed by a government.
There is some truth in this statement, and Linux and Unix systems provide a higher level of security as compared to Windows and macOS operating systems. But the truth is that there is no impenetrable computer system or application, and VPNs are no exception to the rule.
In December 2019, a team of cybersecurity researched disclosed a severe bug that attackers can use to compromise most of Linux distributions as well as Unix-based systems. The vulnerability affects numerous operating systems, including FreeBSD, OpenBSD, macOS, iOS, and Android.
To make things even worse, the vulnerability does not rely on the VPN technology used. Cybercriminals can successfully use what is called CVE-2019-14899 to take control of the most widely used VPN protocols like OpenVPN, WireGuard, IKEv2/IPSec, and others.
The Most Affected Systems
This latest VPN protocols vulnerability affects the systems listed below, and the list will probably grow with time:
- Ubuntu 19.10 (systemd)
- Fedora (systemd)
- Debian 10.2 (systemd)
- Arch 2019.05 (systemd)
- Manjaro 18.1.1 (systemd)
- Devuan (SysV init)
- MX Linux 19 (Mepis+antiX)
- Void Linux (runit)
- Slackware 14.2 (rc.d)
- Deepin (rc.d)
- FreeBSD (rc.d)
- OpenBSD (rc.d)
These latest findings put an end to the myth for the secure Linux- or Unix-based VPN client. This might be good news, as it will force Linux users to take the privacy and security of their connections more seriously.
A Quick Advice
Information is a commodity in our digital age, and both corporations and fraudsters are after any personal, private, or sensitive data they can get and monetize in some way.
VPN services are intended as a barrier to spying eyes as well as an added protection against data theft. Unfortunately, VPN software is not as secure as many users believe, while there is much to improve when VPN providers’ security and transparency practices are concerned.
You should not be too much worried if you are using a VPN service for streaming video/audio or if you are taking advantage of VPN servers to access websites that are banned in your current location.
But you should be really aware that trusting a VPN with sensitive data and login credentials for other services bear certain risks. It might sound paranoid to the average user, but if you treat a VPN application as an insecure one, you will be just fine most of the time.
Should You Trust a VPN? Final Words
Trust is a big word, and flaws teach both the service and the customer. Such incidents will open users’ eyes to the truth that a VPN is not that safe after all.
Any software is subject to hacking. All you have to do is take proper precautions and don’t rely on the VPN alone. Stay skeptical, be paranoid, it’s ok. If you don’t do that, you’ll be risking your personal information.
We hope that this guide was helpful. If you have any more questions, feel free to drop them in the comment section below.