VPNs work by channeling traffic through an encrypted tunnel, which is meant to preserve your online security and privacy. This way, your data will remain safe and secure from the prying eyes of hackers and other malicious parties.
To most people, personal information is so precious that they would pay anything to guard it. This is why most people try to invest in the best VPN service. Unfortunately, there is nothing much you can do if your VPN gets compromised.
In a much-publicized revelation, NordVPN and ProtonVPN were found to have serious security flaws. According to security researchers from Cisco Talos, the two VPN providers have had flaws in their services that allow hackers and other malicious entities to execute arbitrary code, thus placing many users at a significant risk. Both ProtonVPN and NordVPN suffered from vulnerabilities in the way their desktop users got VPN services.
While there was no evidence of exploitations linked to these security lapses, this incidence, which affects two major VPN providers, generated a lot of suspicion among VPN users. Some of them are still asking themselves critical questions, such as:
- Should I use a VPN at home?
- Should I use a VPN in 2019?
- Can a VPN be hacked?
- Can a VPN be blocked?
The Nature of the Security Flaws
The security bugs, which were named CVE-2018-4010 and CVE-2018-3952, were reportedly present in Windows devices until they were patched. NordVPN issued a final patch in August 2018, while Proton took a while, but it eventually patched things up in early September that year. Even with these patches, the code can still be executed (as per Talos’ report) by malicious parties with administrator privileges. These vulnerabilities are quite similar to what was found by VerSprite back in early 2018.
But for a separate exploit patched by both NordVPN and ProtonVPN a while back, probably these vulnerabilities would have never been discovered. Following the CVE-2018-10169 issue in April 2018, the security team at Talos embarked on a mission to look for similar exploits.
How Did the VPN Security Flaws Come About?
CVE-2018-10169 was a Windows privilege bug that permitted attackers to use a malicious OpenVPN configuration file that can hijack a connection. The issue was caused by the same design challenges in both ProtonVPN and NordVPN.
The user interface of both VPN tools allows a regular user with administrator powers to execute binaries, which include configuration options like server location selection. When the user executes these binaries, this information will be transmitted to a service via an OpenVPN file. This means you could use either the ProtonVPN or NordVPN client to run a VPN connection in a specified location.
Back in April 2018, VerSprite, a small Atlanta-based firm, was able to demonstrate that it could edit OpenVPN configuration files in ProtonVPN and NordVPN. The real danger is that anyone can design a malicious OpenVPN file and steal your information or even tamper with your VPN service. If that person has malicious intent, then a lot of users can lose their most-guarded information.
Fortunately, both VPN providers deployed the same patch to check the content of the OpenVPN file. But that wasn’t enough because Cisco discovered a gap in their patch that makes it possible for malicious parties to run arbitrary code.
Talos came to this conclusion after testing NordVPN version 126.96.36.199 and ProtonVPN VPN version 1.5.1. The defense of these patched versions could be circumvented by attackers.
Considering that a VPN provider like NordVPN has over a million users worldwide, the CVE-2018-3952 bug can cause significant damage. There are many users who depend on the two providers for online protection. In addition, a lot of users depend on their VPN services to stream content while they are away from home. If you are one of those people, you might be asking yourself: ‘Should I use a VPN while streaming?’ or ‘Should I use a VPN at home?’ With that said, all is not lost since the two VPN companies moved swiftly to address the security lapses.
VPN Security Fixes
The revelation of the security flaws triggered several VPN companies to come up with tighter security measures to counter the threat. Here are some security measures taken by the affected VPN service providers:
- NordVPN deployed a patch last August. It implemented a XML model to create OpenVPN configuration files. This measure was meant to prevent non-administrator users from editing the XML template.
- ProtonVPN too released a similar patch to address the issue. This provider fixes the issue by transferring the OpenVPN configuration files to the installation directory so that users without administrator privileges won’t modify them.
- Both VPN providers assured their customers that there is nothing to worry about since there is no evidence of vulnerabilities being exploited under their watch. NordVPN, in particular, reaches out to users to offer a full statement on the issue. According to the VPN provider, the CVE problem had already been fixed by the time Cisco updated the public on the issue.
- Both VPN companies also urged their users to update their clients. So, if you are using any of the VPN services in question, you should update your client to the latest version to avoid potential threats. It is better to be safe than sorry.
Other VPN Security Threats
Back in January 2018, Cisco issued a critical vulnerability alert to anyone who uses network security gadgets configured with WebVPN.
The vulnerability was in the SSL (Secure Sockets Layer) of the Cisco Adaptive Security Appliance (ASA) software. The flaw could lead to an unauthorized party remotely executing arbitrary code and taking charge of the device or causing a reload of the affected systems. WebVPN is a clientless VPN that allows users to access corporate resources from any device connected to the Internet. Regrettably, an attacker can use this feature to wreak havoc on the network. Because of this risk, this WebVPN bug was classified as a critical flaw with a CVSS (Common Vulnerability Scoring System) score of 10, the highest alert under this rating system. Cisco later released a software update that addressed the vulnerability.
According to another research commissioned by High-Tech Bridge (HTB), 90 percent of VPN services use insecure encryption or obsolete technology, thus exposing users to bigger risks. The same study revealed that most SSL VPNs use an untrusted SSL certificate or the vulnerable 1024-bit keys for their RSA certificates.
The above incidences and revelations have taught us one thing: investing in a robust VPN service is absolutely necessary if you want to guard your privacy while using the Internet. For the best experience, always strive to use a VPN that employs a military-grade encryption technology. Free VPNs may only help you with basic privacy, and they are usually associated with malware and fraud. If you are interested in learning more about VPNs and how to choose the one that fits your situation, check this VPN review resource.