NordVPN, one of the most popular and widely used VPN services out there, yesterday disclosed details of a security incident that apparently compromised one of its thousands of servers based in Finland.
Earlier this week, a security researcher on Twitter disclosed that "NordVPN was compromised at some point," alleging that unknown attackers stole private encryption keys used to protect VPN users traffic routed through the compromised server.
In response to this, NordVPN published a blog post detailing about the security incident, and here we have summarized the whole incident for our readers to let you quickly understand what exactly happened, what's at stake, and what you should do next.
Some of the information mentioned below also contains information The Hacker News obtained via an email interview with NordVPN.
What has been compromised? — NordVPN has thousands of servers across the world hosted with third-party data centers. One such server hosted with a Finland-based datacenter was unauthorizedly accessed on March 2018.
How did it happen? — The company revealed that an unknown attacker gained access to that server by exploiting "an insecure remote management system left by the datacenter provider while we (the company) was unaware that such a system existed."
What has been stolen? — Since NordVPN does not log activities of its users, the compromised server "did not contain any user activity logs; none of the applications send user-created credentials for authentication, so usernames/passwords couldn't have been intercepted either."
However, the company did confirm that the attackers successfully managed to steal three TLS encryption keys responsible for protecting VPN users' traffic routed through the compromised server.
Though NordVPN tried to downplay the security incident in its blog post by quoting the stolen encryption keys as "expired," when The Hacker News approached the company, it did admit that the keys were valid at the time of the breach and expired in October 2018, almost 7 months after the breach.
What might attackers have achieved? — Almost every website today use HTTPS to protect its users' network traffic, and VPNs basically just add an extra layer of authentication and encryption to your existing network traffic by tunneling it through a large number of its servers (exit nodes), restricting even your ISPs from monitoring your online activities.
Now with some limited encryption keys in hand, attackers might have only decrypted that extra layer of protection coated over the traffic passed through the compromised server, which, however, can not be abused to decrypt or compromise users' HTTPS encrypted traffic.
In other words, the attack possibly allowed attackers to only capture users' unencrypted data exchanged with non-HTTPS websites, if any, or DNS lookups for some users, and also defeated the purpose of using a VPN service.
To be noted, "the (stolen encryption) keys couldn't possibly have been used to decrypt the VPN traffic of any other (NordVPN) server," the company confirmed.
How NordVPN addressed the security breach? — After discovering the incident a few months ago, the company "immediately terminated the contract with the server provider" and shredded all the servers NordVPN had been renting from them.
NordVPN also immediately launched a thorough internal audit of its servers to check its entire infrastructure, and double-checked that "no other server could possibly be exploited this way."
The company said next year, it will also "launch an independent external audit all of our infrastructure to make sure we did not miss anything else."
The company also admitted that it "failed" to ensure the security of its customers by contracting an unreliable server provider, and that it is "taking all the necessary means to enhance our security."
Should NordVPN users be worried? — Not much. People use VPNs for a variety of reasons, and honestly, if you're using it for privacy or escaping Internet censorship, you should not stop using VPN in the wake of such events.
However, before choosing a service you are always advised to do some research and pay for a service that you feel is trustworthy.
Earlier this week, a security researcher on Twitter disclosed that "NordVPN was compromised at some point," alleging that unknown attackers stole private encryption keys used to protect VPN users traffic routed through the compromised server.
In response to this, NordVPN published a blog post detailing about the security incident, and here we have summarized the whole incident for our readers to let you quickly understand what exactly happened, what's at stake, and what you should do next.
Some of the information mentioned below also contains information The Hacker News obtained via an email interview with NordVPN.
What has been compromised? — NordVPN has thousands of servers across the world hosted with third-party data centers. One such server hosted with a Finland-based datacenter was unauthorizedly accessed on March 2018.
How did it happen? — The company revealed that an unknown attacker gained access to that server by exploiting "an insecure remote management system left by the datacenter provider while we (the company) was unaware that such a system existed."
What has been stolen? — Since NordVPN does not log activities of its users, the compromised server "did not contain any user activity logs; none of the applications send user-created credentials for authentication, so usernames/passwords couldn't have been intercepted either."
However, the company did confirm that the attackers successfully managed to steal three TLS encryption keys responsible for protecting VPN users' traffic routed through the compromised server.
Though NordVPN tried to downplay the security incident in its blog post by quoting the stolen encryption keys as "expired," when The Hacker News approached the company, it did admit that the keys were valid at the time of the breach and expired in October 2018, almost 7 months after the breach.
What might attackers have achieved? — Almost every website today use HTTPS to protect its users' network traffic, and VPNs basically just add an extra layer of authentication and encryption to your existing network traffic by tunneling it through a large number of its servers (exit nodes), restricting even your ISPs from monitoring your online activities.
Now with some limited encryption keys in hand, attackers might have only decrypted that extra layer of protection coated over the traffic passed through the compromised server, which, however, can not be abused to decrypt or compromise users' HTTPS encrypted traffic.
"Even if the hacker could have viewed the traffic while being connected to the server, he could see only what an ordinary ISP would see, but in no way, it could be personalized or linked to a particular user. And if they do it not through this server, they would do it using MiTM," the NordVPN spokesperson told The Hacker News.
"On the same note, the only possible way to abuse website traffic was by performing a personalized and complicated MiTM attack to intercept a single connection that tried to access nordvpn.com," the company said in its blog post.
In other words, the attack possibly allowed attackers to only capture users' unencrypted data exchanged with non-HTTPS websites, if any, or DNS lookups for some users, and also defeated the purpose of using a VPN service.
"We are strictly no-logs, so we don't know exactly how many users had used this server," NordVPN said. "However, by the evaluation of server loads, this server had around 50-200 active sessions."
To be noted, "the (stolen encryption) keys couldn't possibly have been used to decrypt the VPN traffic of any other (NordVPN) server," the company confirmed.
How NordVPN addressed the security breach? — After discovering the incident a few months ago, the company "immediately terminated the contract with the server provider" and shredded all the servers NordVPN had been renting from them.
NordVPN also immediately launched a thorough internal audit of its servers to check its entire infrastructure, and double-checked that "no other server could possibly be exploited this way."
The company said next year, it will also "launch an independent external audit all of our infrastructure to make sure we did not miss anything else."
The company also admitted that it "failed" to ensure the security of its customers by contracting an unreliable server provider, and that it is "taking all the necessary means to enhance our security."
Should NordVPN users be worried? — Not much. People use VPNs for a variety of reasons, and honestly, if you're using it for privacy or escaping Internet censorship, you should not stop using VPN in the wake of such events.
However, before choosing a service you are always advised to do some research and pay for a service that you feel is trustworthy.
TorGuard and VikingVPN were also compromised
It seems like NordVPN is not alone. Other popular VPN services, including TorGuard and VikingVPN, also suffered a similar security incident at the same time of the year.
In its blog post published Monday, TorGuard confirmed that a "single TorGuard server" was compromised and removed from its network in early 2018 and that it has since "terminated all business with the related hosting reseller because of repeated suspicious activity."
Since TorGuard has filed a legal complaint against NordVPN on June 27, 2019, possibly blaming it for the breach, the company refused to provide details about the specific hosting reseller or how the attacker gained unauthorized access.
However, TorGuard made it clear that its "server was not compromised externally, and there was never a threat to other TorGuard servers or users."
The company also said that out of all three, TorGuard was the "only one using secure PKI management," meaning its "main CA key was not on the affected VPN server."
"So if a worst-case scenario occurs and a VPN server is seized or even compromised, no one can tamper with or decrypt user traffic, or launch Man-in-the-Middle attacks on other TorGuard servers," the company said.
VikingVPN, on the other hand, has yet not responded to the security incident. We will update the article as soon as we hear from it.