What is even going on in the VPN industry? Big names are getting apparently hacked left and right. Yesterday, Oct. 21, a known VPN service provider NordVPN announced that one of their servers got hacked.
Although the data breach occurred in March of 2018, NordVPN was publically called out by the infosec community when the marketing team of NordVPN posted an overly extravagant advertisement on twitter stating this: ‘Ain’t no hacker can steal your online life. (If you use VPN). Stay safe.’
This is where NordVPN knew they’ve messed up and quickly took down the ad. However, things escalated quickly and the company has since then published a flurry of tweets to dowse down the flames.
In response to the TechCrunch article titled “NordVPN confirms it was hacked”, NordVPN harshly reiterated on Twitter that “a server was hacked, the service was not”.
Here’s what essentially sparked the NordVPN hacked controversy:
One of NordVPN’s rented servers owned by a Finish company was hacked and an EXPIRED TLS key was leaked allowing anyone to establish a server imitating NordVPN.
Now there are two sides to the story. At one end of the spectrum, we see NordVPN playing the blame game and trying to cover up the incident, while on the other end, we see security researchers getting into the nitty-gritty of the whole ordeal.
NordVPN’s side of the story
There are a couple of key elements to note from NordVPN’s official statements. Let’s first take a look at NordVPN’s side of the story and then we’ll look at what security researchers have to say.
Addressing the allegations
NordVPN spokesperson Laura Tyrell told TechCrunch that in March 2018, “One of the data centers in Finland we are renting our servers from was accessed with no authorization”.
Furthermore, NordVPN said it found out about the breach a few months ago but didn’t disclose the breach until today to ensure the security of every component within their infrastructure.
If we take a look at the blog post that NordVPN posted on Oct 21, the company states that – “The attacker gained access to the server by exploiting an insecure remote management system left by the datacenter provider. We were unaware that such a system existed”.
Claiming no data was compromised
“The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either. The exact configuration file found on the internet by security researchers ceased to exist on March 5, 2018. This was an isolated case, and no other datacenter providers we use have been affected”.
In addition, NordVPN stated – ” When we learned about the vulnerability the datacenter had a few months back, we immediately terminated the contract with the server provider and shredded all the servers we had been renting from them”.
In order to clear their name, NordVPN stated that the vulnerability was left by the server provider and was later deleted without notifying NordVPN on March 20, 2018, exactly 48 days later.
Critiques side of the story
Now let’s see what the critiques have to say.
Source – TechCrunch
According to an anonymous senior security researcher who spoke to TechCrunch, the evidence found in regards to NordVPN’s breach is troubling. The same researcher further said that – “this is an indication of a full remote compromise of this provider’s systems”. “That should be deeply concerning to anyone who uses or promotes these particular services”.
Source – @hexdefined
According to @hexdefined, who is a web developer/hacker, “whoever compromised NordVPN had root access to a container server, allowing full control of everything in it (presumably including the ability to view and tamper with all network traffic going through it)”.
The same Twitter user also shared a series of screenshots further rectifying the possibility of anyone setting up a server of their own to impersonate NordVPN.
Source – Creanova’s CEO
In response to NordVPN blaming the server provider for the remote access vulnerability found on one of its servers, Creanova’s CEO Niko Viskari stated that NordVPN “do not take care of security by themselves”.
Niko further stated that Creanova has other large VPN service providers who take privacy much more seriously compared to NordVPN and frequently urge them to have iLO and iDRAC remote access tools run in private nets.
Niko concluded by stating that NordVPN seems to not pay attention to their security and is trying to dump their burden on Creanova’s shoulders – Source.
How easy was it hack into NordVPN server?
As I said earlier, the whole incident occurred when someone managed to hack into one of the NordVPN servers using the default remote management system which is apparently found on all servers owned by Creanova.
One Twitter user by the name of @NathOnSecurity shared an example of how the hacker managed to access NordVPN’s server by using default credentials for iDRAC web interface.
He also shared that even if you don’t have access to the iDRAC credentials printed on the system Information tag, then the default username and password “root” and “calvin” can be used.
My two cents
After extensively researching the matter and digging through countless Tweets, web archives and other sources, I believe that just a single hacked server can’t be enough to compromise the privacy of thousands of servers owned by NordVPN.
However, I can’t imagine how a massive VPN service like NordVPN can boast about being immune to hackers while ignoring small details like not addressing the remote management tools installed by default on their servers.
It also bugs me how this incident only blew after a year later and not sooner. Although NordVPN is now claiming to strengthen its security protocols in the future, this incident has surely tainted the reputation of NordVPN and I can’t help but urge you to not use the service until NordVPN earns back the trust of its 10 million users.
I’ve also discussed the incident in my NordVPN review, however, you’re totally free to make your own decision.