Should we trust NordVPN ?

NordVPN gets hacked, acknowledges its mistake after 7 months. Sounds fishy? Well there is more to the news. As NordVPN claim nothing major could have been done through this Hack and the minor things that can be done are only “under extraordinary circumstances“. Lets explore and look how everything went down

NordVPN Hack Timeline

• On Januray 31st, 2018 NordVPN signs a contract with a service provider and starts a new server.
• March 5th, 2018 evidence of breach is found by the data center.
• March 20th, 2018 the datacenter deletes the vulnerable accounts.
• April 13th, 2019 NordVPN is notified about this incident after 1+ year.
• October 21st, 2019 NordVPN admits publicly that a breach happened and they have been working on it.

Note: NordVPN claims that they were not informed about the breach on any occasion prior to the date “April 13th, 2019”.

What happened in the NordVPN hack

A hacker gained unauthorized access to a remote management system. After gaining access the hacker could monitor traffic such as websites the NordVPN users are visiting at that moment and could have injected malicious stuff into the plaintext traffic. Although the hacker couldn’t know what specific content was being seen but only the websites. The hacker also acquired an expired Transport Layer Security key (TLS key) using which the hacker could have intercepted single user’s web traffic but would require extraordinary access to the victim’s device or network. NordVPN claims that it has a No-Log Policy which means no collection or sharing of sensitive data. Read more about NordVPN No-Log policy.

“The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either,”

a spokesperson said.

NordVPN claims that this breach was the fault of data center and their only mistake was using an unreliable server provider. The server provider is not named by NordVPN. They said that the attack was done by gaining unauthorized access to an insecure remote management system which was added by the data center without notifying NordVPN. They do admit that the hacker could monitor traffic such as websites but not specific content.

I Got NordVPN TLS Key – Now What ?

As per NordVPN the Private TLS key were expired. Using this Man-in-the-middle (MITM) attack can happen. Everything a user sends or requests from the website or server the user is met with an appropriate answer from that website or server which is encrypted. In MITM attack a hacker can change response received from the website and even inject malicious code within the request. Although once the transmission is encrypted there is not much one can do, but all that changes if you own TLS Key – these cryptographic key is the solution to decrypt all the encrypted traffic, After decrypting the hacker can modify, read, store or do anything with the information gained. Although for Man-in-the-middle attack to be possible the hacker has to be within the reception range of the victim’s unencrypted WiFi OR have access to the website which is being visited by the victim.

NordVPN’s Mistakes and Lies

• Firstly NordVPN said “We decided we should not notify the public until we could be sure that such an attack could not be replicated anywhere else on our infrastructure” but their internal audit has not been completed then why did they publicly announce this?
  Hint: You won’t find the answer on their website’s blog. Because the hacker posted all of the proof of hacks online on 20th Oct, 2019. Yes everything is a lie.

• This is the certificate: https://crt.sh/?id=10031443 . Now with the Certificate + key you can do wonders.
• NordVPN saying that it is just an expired TLS certificate, It is way more than that. The hackers found the expired TLS keys and the certificate using which they could act as NordVPN for victim’s and exploit them without any of their knowledge.
• They also said this was a third-party provider breach and none of their fault. Well that’s where they are wrong. The keys and certificates were of? NordVPN! whose fault is it? NordVPN!
• NordVPN’s no log policy? It’s a scam all traffic is being logged and even sent to UDC. This could be for SIGINT. So now the no log policy is a complete hoax the hacker could have accessed the NordVPN users browsing history. https://share.dmca.gripe/V7xZmtYzoaEtDio0.txt
• Why wasn’t the hack detected by NordVPN even though they had full remote admin on their Finland node LXC containers. That means NordVPN failed to detect the hack in the so called third-party provider breach.
• No practicing of secure PKI management because the CA private key was on the same server which shouldn’t have happened.
• Fault of NordVPN or not the hacker could have added malicious code into plain text being viewed by the NordVPN users connected to that server.
• Bonus: NordVPN can’t keep up with hacks as many groups are hacking and leaking hacked credentials. Type NordVPN in the following group: https://t.me/hackingjungle

This attack was not aimed at NordVPN but along this TorGuard and OpenVPN were also targeted. NordVPN and OpenVPN were not practicing secure PKI management and only TorGuard was. Ironically OpenVPN Community Wiki and Tracker has a list of ways on how to harden VPN which includes a paragraph about secure PKI management.

NordVPN – Nordic Ideals of Trust

Before I close it down, let me bring everyone’s attention to what NordVPN has stated in their about page, I doubt they will change that, but its a fun read

We, NordVPN, confirm that we take full control of our infrastructure. It has never been compromised or suffered a data breach. We have not disclosed any private keys or any information of our users, and we have not been forced to modify our system to allow access or data leakage to a third party of any kind.

This current hack made them compromised and some keys were exposed. Will they amend their website About ?

Conclusion

Any VPN is supposed to keep you anonymous and safe. That is why people choose VPNs for surfing the internet in hopes that they may protect yourself against ransomware. This helps make a person feel more secure because they aren’t being spied upon. If top VPNs like NordVPN which sits with a score of 9.7 has failed to provide this security one might as well stop paying for it because it won’t make a difference who collects their logs that may be their Internet service provider (ISP) or NordVPN. From my point of view using NordVPN after all these failures and lies one is better off using other VPNs or not using one.