Virtual private networks: they help you sidestep geographical media restrictions, and they keep your web browsing private, right? Well, not always, because even if the best VPNs add a welcome layer of security to our web setups, cybersecurity experts are warning that there are just as many VPN applications that expose their trusting users to surveillance and cyberattacks.
According to a broad range of specialists, many free and mobile VPNs in the market use unsafe protocols and log user activity, while even good virtual private networks can’t always guarantee to protect their users from the prying eyes of a jealous government or its intelligence agencies. That’s why it’s vitally important that we not only choose the most reliable and robust VPNs available, but that we also learn how to configure and run them. Otherwise, we may find ourselves in a similar situation to users of Fortigate and Pulse Secure, two VPNs which were targeted by cyberattackers last month.
Normally, VPNs are very useful and dependable tools, with 30% of all internet users employing a VPN at least once a month. “Generally speaking, a modern online VPN is a service that is designed to encrypt your entire computer’s traffic and at the same time hide your identity by routing your (now encrypted) traffic through one or more anonymous routers,” explains Yaniv Balmas, the head of cyber research at Check Point. “Assuming that the VPN provider uses up-to-date encryption methods and frequently changes its routing points, this service should provide a secure and robust service.”
Today In: Innovation
However, Balmas adds that “the devil lies in the details,” with poorly implemented virtual private networks causing “more harm than good for its users.” In fact, the scale of the problem is actually more extensive than most people realise, because in many cases VPNs – and particularly free and/or mobile VPNs – not only don’t work as advertised, but also leave users open to viruses and privacy violations.
“We tested the top 150 free VPN Android apps and found that many had serious security flaws and performance issues,” warns Callum Tennent, a VPN expert and the site editor at Top10VPN.com. Referring to a study his website conducted in February, Tennent alarmingly reveals that 18% of the tested VPNs contained potential malware or viruses, 85% featured excessive permissions or functions that could put a user’s privacy at risk, and 25% exposed a user’s traffic to DNS leaks and other leaks.
And it’s not just free Android VPN apps that have a problem, because a companion study examining the top 20 VPN apps for iPhones and Android devices also turned up very similar results. Most disturbingly, Tennent points outs that “59% [of the tested VPNs] had links to China, despite its strict ban on VPNs and its notorious internet surveillance regime. Many of these explicitly shared data with Chinese third parties.”
Some of the most well-known VPNs covered in the two studies include apps that have been downloaded anything from a million to 50 million times, such as Hotspot Shield Free, SuperVPN, Hi VPN, Turbo VPN, Snap VPN, X-VPN, and VPN Proxy Master. For instance, despite having witnessed five million downloads as of February, a VPN called Ultrasurf tested positive for potential malware, as well as for risky functions, such as taking the last known location of the host device (although Ultrasurf’s developers denied the validity of these detections).
In other words, a large number of free or cheap VPNs may be doing the exact opposite of what we expect from them, collecting and exposing our data rather than hiding it.
In some cases, a VPN isn’t simply inadequate, but rather actively malicious. As Avast’s Jonathan Lemmonier notes, “Fake VPN services, especially the free ones, can also be set up as honeypots to collect all of a user’s data, to deliver malware, and to spy on people (see Facebook’s Onavo VPN service). Remember: a VPN, in many cases, is just an ISP that you choose. They now have access to all of your online data.”
Of course, it would be bad enough if only free and untested VPNs had severe privacy issues. But the thing is, even when we’re using a highly reputable and well-developed VPN, we’re still not entirely safe from intrusions into our virtual privacy. And this will be of particular concern to journalists, dissidents, radicals, whistleblowers or anyone else who doesn’t want a national government keeping tabs on them.
“Your ISP can see you connecting to an IP address owned by a VPN service and the fact that your software is connecting to ports associated with VPN activity,” says Jake Moore, a cybersecurity specialist for ESET. “Therefore, the government will be allowed access to this data via a warrant if necessary, but not be able to decipher any that is encrypted.”
And in a growing number of instances, governments and intelligence agencies may not even need to go through a VPN company itself, depending on the protocols used by a virtual private network “Open-source protocols like OpenVPN are completely transparent and can therefore be publicly tested for vulnerabilities and bug fixes,” says Callum Tennent. Unfortunately, he also explains that with closed-source protocols such as SSTP, for instance, it’s impossible to disprove the existence of backdoors or vulnerabilities, because the underlying code is inaccessible to researchers.
More worryingly, Tennent also notes that, since at least 2014, there have been reports that the popular IPsec protocol – and reliant protocols like IKEv2 – have been compromised by the NSA, and that the agency could break 66% of all IPsec-based VPNs. There is therefore reason to be very fearful if you happen to have a morally justifiable (or unjustifiable) reason for hiding your communications from government tentacles.
Still, even with these risks, experts advise that there are several things we can do to ensure that the best VPNs protect us as they should. In most cases, the best way of reinforcing a good VPN is simply to configure it properly, and to ensure that you aren’t logged in to services like Facebook and Google, which log browsing activity even with a VPN activated.
“Configuring your VPN properly is the first step in making it more secure,” says Callum Tennent. “Use the best protocol on offer, enable the kill-switch (which protects your IP address if the VPN connection unexpectedly drops), and use all leak protections available. It’s also wise to regularly test for leaks yourself.”
The question remains, however, whether VPNs ensure total privacy even when we do everything right and follow basic cybersecurity principles.
“In general VPNs are safe,” affirms Candid Wueest, Symantec’s principal threat researcher. On the other hand, Wueest also goes on to explain that, as safe as you make a VPN, the websites and servers you visit could potentially be compromised by an attacker or government agency, which presents a danger no VPN can avoid. Similarly, Avast’s Jonathan Lemmonier warns that, theoretically, governments could “tap every and all data centers of a provider, and monitor all exit nodes,” a warning which has gained credibility since August, when the British and South African governments both admitted having tapped undersea fibre optic cables.
Admittedly, such tapping represents a worst-case scenario. And while it’s arguable that little or nothing of what we do online is truly private, those of us who aren’t Edward Snowden can rest assured that the best VPNs do a good job of encrypting and anonymizing our web traffic. At the very least, we can be sure they do a good job of getting around geo-blocks.