NordVPN, TorGuard privacy squall will likely blow over users’ heads, says VPN market expert
UPDATED The reputations of two popular VPN providers whose servers were compromised may be partly salvaged by their common policy of not logging user activity, according to a leading VPN expert.
Twitter’s infosec community was abuzz yesterday (October 21) with allegations that private encryption keys from three virtual private network vendors had been stolen and distributed online.
This potentially gave recipients scope to launch their own VPN servers under the guise of NordVPN or TorGuard.
Both NordVPN and TorGuard said the hacks were isolated cases, that no other servers were affected, and that no user data was intercepted or compromised.
(A third provider, VikingVPN, is yet to make a statement on archived screenshots that appear to indicate that the company also experienced a breach.)
The VPN providers’ very raison d’etre – insulating user data from theft and snooping – has been somewhat undermined as a result of the recently disclosed security incidents.
But Ariel Hochstadt, co-founder of VPN comparison site vpnMentor, suggested executives at the three companies were likely unfazed by the breaches.
This, Hochstadt suggested, was because VPN users left a negligible data footprint within VPN environments, and in two thirds of cases were relatively unconcerned about the security of systems of providers, if surveys are to be believed.
“I don’t think the people at Nord and TorGuard are too worried,” he told The Daily Swig. “Sixty seven percent of users only want to stream blocked content or visit [prohibited websites from] China/Russia and other censored countries, so they don't really care about security.”
If VPN providers’ mission to safeguard privacy, then news of the breaches might seem like a damaging blow to their reputations, but Hochstadt believes their pro-privacy ethos will limit the actual impact.
“The other 33%” – heavy users for whom security is a concern – “would actually see that the companies didn't keep logs and that private information was not leaking,” he said.
Citing the case of a Turkish criminal investigation that was thwarted by the absence of user activity logs, Hochstadt added: “This incident would assure the smart users that the reputable VPNs are trustworthy, and even if they experience leaks, the fact that they don't keep logs, is the extra layer of security they were looking for.”
Any reputational damage that does result from the breaches, Hochstadt suggested, would actually be to the detriment of VPN users.
“The big fear we have is that users would turn to other brands that are not getting so much media attention but are actually sacrificing users’ privacy on a regular basis,” he said.
“Many free VPN apps are China-operated and gather your data and information. Others, located in the US, actively share any information the government asks them to share. So the main concern I have is that users would turn to less trustworthy VPNs or decide not to use a VPN ‘for now’, which would harm them much more.”
No user logs
On Twitter yesterday, links and images were shared that appeared to show that the VPN providers had fallen prey to the breach dating back to September 2017.
Posted by @hexdefined, the links appear to show an anonymous 8chan user taking credit for the attack. Expired ghostbin links with terminal output were offered as evidence.
The common factor in attacks appears to be a poorly secured remote-management system, believed to be iLO or iDRAC, within the server.
However, NordVPN, which has around 12 million global users, placed the blame on a data center provider in Finland.
Claiming ignorance of the system’s existence, Nord said the server contained no user activity logs and that “applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted”.
The attacker, whose motive remains unknown, reportedly accessed LXC containers, cryptography keys and OpenVPN software files kept on the system.
The breach comes just days after NordVPN was slammed for inflated marketing claims.
In a blog post yesterday, TorGuard, which has servers in more than 50 countries, said it practices “secure PKI management network-wide”, so its Certificate Authority (CA) key is never stored on a VPN server.
It added: We operate this way so if a worst-case scenario occurs and a VPN server is seized or even compromised, no one can tamper with or decrypt user traffic, or launch man-in-the-middle attacks on other TorGuard servers.”
TorGuard wrote that it removed the compromised server from its network in early 2018 and “terminated all business with “the related hosting reseller because of repeated suspicious activity”.
Despite finding no security risks, TorGuard has “reissued all certs earlier this year per our security protocol”.
Upon discovering the incident, NordVPN said it immediately launched a thorough internal audit to check our entire infrastructure, adding:
We double-checked that no other server could possibly be exploited this way and started creating a process to move all of our servers to RAM, which is to be completed next year. We have also raised the bar for all data centers we work with. Now, before signing up with them, we make sure that they meet even higher standards.
The VPN provider did, however, confess to an error of judgement in “contracting an unreliable server provider”.
Nord says it’s already undertaken an application security audit, with other planned remedies including a no-logs audit, bug bounty program and an independent external audit of all infrastructure.
“I want to make it very clear that there are no indications than any of our customers were affected and their data was intercepted by a malicious actor,” the company’s Laura Tyrell told The Daily Swig.
“The tunnel itself is safe and never been hacked. Our core databases, our code, and service itself are also secure and have not been affected. It was a single access to one of more than 5000 servers we have. The hacker managed to access this server because of the mistakes done by a data center owner.”
This article has been updated to include additional comments from NordVPN.