We thought VPNs were secure, but with an increasing number of secure services reporting server breaches, that seems not to be the case. But how do these secure services get hacked in the first place, and how do hackers capitalize on it?
Here’s how VPNs get hacked and what it means for your privacy.
The VPN’s (Seemingly) Unbreakable Security
If we take a brief look at how a VPN works, it looks unhackable. This is the primary draw of a VPN, as people feel they can trust the service to maintain their privacy.
For one, your computer encrypts the connection before it leaves for the internet. This encryption makes a VPN a solid layer of defense against spying, as anyone snooping on the connection can’t read what you’re sending. Hackers can use public Wi-Fi connections to steal your identity, but a VPN can protect you from all attacks bar someone looking over your shoulder.
Even your ISP can’t see the packets you send, which makes VPNs useful for hiding your traffic from a strict government.
If a hacker manages to break into a VPN’s database, they may leave empty-handed. Many top VPNs hold a “no-logging policy,” which states that they won’t save records of how you use their service. These logs are a potential goldmine for hackers, and refusing to keep them means your privacy is maintained even after a database leak.
From these points, it’s easy to assume that a VPN is “unhackable.” However, there are ways that hackers can breach a VPN.
How VPNs Are Susceptible to Hacking
A hacker’s best point of entry is near the outer reaches of the VPN network. VPN companies sometimes opt not to set up servers in all the countries they want to support. Instead, they’ll hire out data centers established within the target country.
This plan often doesn’t introduce any complications and the VPN service adopts the servers without any issues. However, there is the rare chance that there is a hidden oversight in the data center that the VPN company isn’t aware of. In one reported case, a server that NordVPN rented out had a forgotten-about remote connection tool installed.
This tool was insecure and hackers used it to break in.
From there, the hacker found some additional files. The Register reports that this includes an expired encryption key and a DNS certificate. The key didn’t allow the hacker to snoop on traffic, and if they did, NordVPN says they’d only see the same data an ISP would see.
How Hackers Can Capitalize on a VPN Attack
This flaw is the main weakness that a hacker will try to exploit. Because the VPN doesn’t store logs of connections, a hacker’s best bet is to watch the data flow in real-time and analyze the packets.
This tactic is called the “man-in-the-middle” (MITM) attack. It’s when a hacker gets their information from monitoring data as it passes through. It’s not easy to pull off, but it’s not impossible to achieve. Should a hacker get their hands on an encryption key, they can reverse the VPN’s protection and peek at the packets as they pass through.
Of course, this doesn’t give hackers free rein over the traffic. Any data encrypted with HTTPS won’t be readable, as the hacker won’t have the key for it. Anything that’s plaintext, however, will be readable and potentially editable, which would be a severe privacy breach.
Should You Be Concerned About Your VPN Privacy?
While this does sound terrifying, don’t worry just yet. Before you panic, consider why you use or would use a VPN service. At the base level, a hacker monitoring a VPN connection would only see what an ISP would see. For some, this kind of breach doesn’t affect them at all; for others, it’s a severe breach of trust.
On one end of the spectrum, let’s assume you use a VPN so you can get around geo-blocks. You don’t boot up the VPN often, and when you do, it’s to watch shows on Netflix that aren’t available in your home country. In this case, do you mind that a hacker knows you’re watching the newest Labyrinth series?
If not, you may not want to protect yourself further—although some would argue that surrendering any part of your privacy is never right!
On the other side, VPNs are more than just a way to watch TV shows from overseas. They’re a way to browse the internet and speak freely without intervention from the government. For these people, a breach of their privacy could have severe ramifications.
If the thought of your privacy leaking in an attack is too much to bear, it’s worth taking the extra steps to protect yourself.
How to Protect Your Privacy With Additional Security
To start, it’s essential to realize that these breaches aren’t commonplace. Also, the hacker in the NordVPN case only gained access to one of the 5000+ servers. This means that the majority of the service was safe, and only a small section of users was under threat. As such, a VPN is still a useful way to protect your privacy.
However, if you’re very serious about staying anonymous, a VPN shouldn’t be your only line of defense. The attacks on VPNs have shown that they do have flaws, but that doesn’t mean that they’re entirely useless. The best way to maintain your privacy is to add another layer of privacy to what the VPN provides. That way, you’re not wholly dependent on your VPN service to protect you.
For instance, you can boot up your VPN, then use the Tor browser to browse the web. The Tor browser connects to the Tor network, which uses triple-encryption for its traffic. This encryption is applied before your computer sends it, much like a VPN.
If a hacker performs a MITM attack on your VPN connection, The Tor network’s encryption keeps your data safe. On the other hand, if your connection is compromised on the Tor network, the trail leads back to the VPN. If the VPN doesn’t store logs, the trail back to you goes dead.
As such, using two layers of security is an effective way to protect your privacy. Regardless of which side suffers a breach, the other one will pick up the slack.
How to Use a VPN Properly
VPNs can help secure your connection, but they’re not impenetrable. As we’ve seen from these incidents, hackers can infiltrate a VPN server and use keys to initiate a MITM attack. If you’re concerned about your privacy, it’s worth backing up a VPN with another layer of defense. That way, if one layer falls, the other is there to back you up.
Invulnerability behind a VPN service is one of the common VPN myths you shouldn’t believe, so it’s worth knowing what’s true and what’s fake.
Source: What That Means for Your Privacy
By Simon Batt
Techylawyer and its authors do not claim to have written this article, we acknowledge the works of the original author