NordVPN, a virtual private network provider that promises to “protect your privacy online,” has confirmed it was hacked.
The admission comes following rumors that the company had been breached. It first emerged that NordVPN had an expired internal private key exposed, potentially allowing anyone to spin out their own servers imitating NordVPN.
VPN providers are increasingly popular as they ostensibly provide privacy from your internet provider and visiting sites about your internet browsing traffic. That’s why journalists and activists often use these services, particularly when they’re working in hostile states.
These providers channel all of your internet traffic through one encrypted pipe, making it more difficult for anyone on the internet to see which sites you are visiting or which apps you are using. But often that means displacing your browsing history from your internet provider to your VPN provider.
That’s left many providers open to scrutiny, as often it’s not clear if each provider is logging every site a user visits.
For its part, NordVPN has claimed a “zero logs” policy.
“We don’t track, collect, or share your private data,” the company says.
But the breach is likely to cause alarm that hackers may have been in a position to access some user data.
NordVPN told that one of its data centers was accessed in March 2018. “One of the data centers in Finland we are renting our servers from was accessed with no authorization,” said NordVPN spokesperson Laura Tyrell.
The attacker gained access to the server — which had been active for about a month — by exploiting an insecure remote management system left by the data center provider; NordVPN said it was unaware that such a system existed.
NordVPN did not name the data center provider.
“The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either,” said the spokesperson. “On the same note, the only possible way to abuse the website traffic was by performing a personalized and complicated man-in-the-middle attack to intercept a single connection that tried to access NordVPN.”
According to the spokesperson, the expired private key could not have been used to decrypt the VPN traffic on any other server.
NordVPN said it found out about the breach a “few months ago,” but the spokesperson said the breach was not disclosed until today because the company wanted to be “100% sure that each component within our infrastructure is secure.”
A senior security researcher we spoke to who reviewed the statement and other evidence of the breach, but asked not to be named as they work for a company that requires authorization to speak to the press, called these findings “troubling.”
“While this is unconfirmed and we await further forensic evidence, this is an indication of a full remote compromise of this provider’s systems,” the security researcher said. “That should be deeply concerning to anyone who uses or promotes these particular services.”
NordVPN said “no other server on our network has been affected.”
But the security researcher warned that NordVPN was ignoring the larger issue of the attacker’s possible access across the network. “Your car was just stolen and taken on a joy ride and you’re quibbling about which buttons were pushed on the radio?” the researcher said.
The company confirmed it had installed intrusion detection systems, a popular technology that companies use to detect early breaches, but “no-one could know about an undisclosed remote management system left by the [data center] provider,” said the spokesperson.
NordVPN said it disputes this. “We treat VPN servers as untrusted in the rest of our infrastructure. It is not possible to get access to other VPN servers, users database or any other server from a compromised VPN server,” said the spokesperson.
“They spent millions on ads, but apparently nothing on effective defensive security,” the researcher said.
NordVPN was recently recommended by TechRadar and PCMag. CNET described it as its “favorite” VPN provider.
It’s also believed several other VPN providers may have been breached around the same time. Similar records posted online — and seen by TechCrunch — suggest that TorGuard and VikingVPN may have also been compromised.
A spokesperson for TorGuard told TechCrunch that a “single server” was compromised in 2017 but denied that any VPN traffic was accessed. TorGuard also put out an extensive statement following a May blog post, which first revealed the breach.
— Note —-
The cause attributed is an insecure remote management system in place by the data center provider without the company having any knowledge about it. Elaborating further, they explain that,
The expired TLS key was taken at the same time the datacenter was exploited. However, the key couldn’t possibly have been used to decrypt the VPN traffic of any other server. On the same note, the only possible way to abuse website traffic was by performing a personalized and complicated MiTM attack to intercept a single connection that tried to access nordvpn.com.
This, unfortunately, made it possible for malicious attackers to imitate NordVPN tricking users and hence steal their data as Cryptostorm.is explains in the tweet above. However, the good thing is that no user data was compromised and neither was any other datacentre infected in the process.
Furthermore, NordVPN’s team has started to move all of their servers to RAM although the process is to be completed next year.
Ted Shorter, CTO at Keyfactor provider of secure digital identity management solutions told HackRead that,
“Hackers gained access to the system at NordVPN that contained this, and at least one other sensitive encryption key.
That’s bad, but history has shown us that given enough time and resources, hackers can often find their way into high-value targets: breaches such as this have happened in 2019 more times than I can count. However, a defense-in-depth strategy could have at least prevented the hackers from stealing the private keys.”
It is important to note that this particular incident points to a larger problem. If companies vet data center companies more strictly, such exploits would not take place. Nonetheless even though done in the aftermath, the firm has shredded all of its servers with the compromised data center company and terminated its contract implementing a new set of standards.
As to why they did not disclose this vulnerability earlier is because of the need to analyze their entire infrastructure including over 3000 servers for any vulnerabilities beforehand. Let’s hope that companies take heed from this incident and step up their security both in and out of the VPN industry.
- The affected server was brought online on January 31st, 2018.
- Evidence of the breach first appeared on March 5th, 2018, but we were unaware of it at that time. Further evidence suggests that this is around when the breach is likely to have occurred.
- The breach was restricted when the data center deleted the undisclosed unsecure management account on March 20th, 2018.
- We were notified about the breach on April 13, 2019. We shredded the server that same day.
- One server was affected in March 2018 in Finland. The rest of our service was not affected. No other servers of any type were put at risk. This was an attack on our server, not our entire service.
- The breach was made possible by poor configuration on a third-party datacenter’s part that we were never notified of. Evidence suggests that when the datacenter became aware of the intrusion, they deleted the accounts that had caused the vulnerabilities rather than notify us of their mistake. As soon as we learned of the breach, the server and our contract with the provider were terminated and we began an extensive audit of our service.
- No user credentials were affected.
- There are no signs that the intruder attempted to monitor user traffic in any way. Even if they had, they would not have had access to those users’ credentials.
- The attacker did acquire TLS keys that, under extraordinary circumstances, could be used to attack a single user on the web using a specifically targeted and highly sophisticated MITM attack that we detail further below. These keys could not and cannot be used to decrypt any encrypted NordVPN traffic in any form.
- Two other VPN providers were impacted in attacks published by the same intruder. We do not believe that this was a targeted attack against NordVPN.
- The incident effectively showed that the affected server did not contain any user activity logs. To prevent any similar incidents, among other means, we encrypt the hard disk of each new server we build. The security of our customers is the highest priority to us and we will continue to raise our standards further and further.
Here’s the full story along with more technical information:
A few months ago, we became aware of an incident in March 2018 when a server at a datacenter in Finland we had been renting servers from was accessed without authorization. This was done through an insecure remote management system account that the datacenter had added without our knowledge. The datacenter deleted the user accounts that the intruder had exploited rather than notify us.
The intruder did not find any user activity logs because they do not exist. They did not discover users’ identities, usernames, or passwords because none of our applications send user-created credentials for authentication.
The intruder did find and acquire a TLS key that has already expired. With this key, an attack could only be performed on the web against a specific target and would require extraordinary access to the victim’s device or network (like an already-compromised device, a malicious network administrator, or a compromised network). Such an attack would be very difficult to pull off. Expired or not, this TLS key could not have been used to decrypt NordVPN traffic in any way. That’s not what it does.
This was an isolated case, and no other servers or datacenter providers we use have been affected.
Once we found out about the incident, we first terminated our contract with the provider and eliminated the server, which we had operated since January 31, 2018. We then immediately launched a thorough internal audit of our entire infrastructure. We had to ensure that no other server could possibly be exploited this way. Unfortunately, thoroughly reviewing the providers and configurations for over 5,000 servers around the world takes time. As a result, we decided we should not notify the public until we could be sure that such an attack could not be replicated anywhere else on our infrastructure. Lastly, we raised our standards even further for current and future datacenter partners to ensure that no similar breaches could ever happen again.
We want our users and the public to accurately understand the scale of the attack and what was and was not at risk. The breach affected one of over 3,000 servers we had at the time for a limited time period, but that’s no excuse for an egregious mistake that never should have been made. Our goal is not to undermine the severity and significance of this breach. We should have done more to filter out unreliable server providers and ensure the security of our customers.
Since the discovery, we have taken all the necessary means to enhance our security. We have undergone an application security audit, are working on a second no-logs audit right now, and are preparing a bug bounty program. We will give our all to maximize the security of every aspect of our service, and next year we will launch an independent external audit of all of our infrastructure.