Foreign spies may be hiding in your VPN, warns DHS

Before we get into the latest scary-virtual private network (VPN) news, let’s do as Naked Security’s Paul Ducklin advises and repeat after him:

A VPN doesn’t magically improve security. All it really does is to make your VPN provider into your new ISP – your “first hop” on the internet. That first hop is the one place where a single provider gets to see all your traffic, whether it’s encrypted or not. You need to trust your VPN provider. A lot.

Many people do trust their VPN provider. A lot. Unfortunately, some of them shouldn’t, going by what a Department of Homeland Security (DHS) higher-up recently said.

In a letter sent to Senators Ron Wyden and Marco Rubio on 22 May 2019, Chris Krebs, director of DHS’s Cybersecurity and Infrastructure Security Agency (CISA), wrote that foreign adversaries are interested in exploiting VPN services. From the letter:

Open-source reporting indicates nation-state actors have demonstrated intent and capability to leverage VPN services and vulnerable users for malicious purposes.

Krebs was writing in response to a 7 February 2019 letter sent to him by the senators, who are concerned about threats posed by apps created in countries of national security concern to the US.

The senators noted that mobile browsers such as Yandex, Dolphin and Opera use their own servers as an intermediary for user traffic, compressing the pages before delivering them to users in order to save data. Similarly, VPN providers route traffic through their own servers in order to mitigate privacy concerns – nominally, at least, the senators said.

Potential security risks are of particular concern when it comes to government employees using VPNs, mobile data proxies, or other apps that might be vulnerable to foreign government surveillance, the senators said. They noted that the US government has already recognized the national security risks posed by Chinese telecom equipment, for one: a year ago, the Pentagon banned Chinese smartphones from military exchanges.

Six years prior, the US House of Representatives issued a report recommending that Huawei and ZTE be banned because of concerns over spying. A year-long investigation had shown that the companies had maintained close ties to the Chinese Communist Party and People’s Liberation Army back home while trying to expand their US businesses.

No overarching policy to stop it

In Krebs’ reply to the senators, he said that there’s no overarching US policy preventing government mobile device users from downloading foreign VPN apps. He also referenced the National Institute of Standards and Technology (NIST), which has published Guidelines for Managing the Security of Mobile Devices in the Enterprise. From those guidelines:

Mobile devices are manufactured to easily find, acquire, install, and use third-party applications from mobile device application stores. This poses obvious security risks, especially for mobile device platforms and application stores that do not place security restrictions or other limitations on third-party application publishing.

Recent problems with third-party apps published to app stores have included government spyware hiding in plain sight in Google Play, for example.

Krebs said that according to “open-source reporting”, the Russian government in November 2017 enacted laws that force domestic and foreign VPN providers to participate in Russia’s blacklist enforcement system: a system that allows the government to “access and influence Russia-based VPN providers,” such as Yandex. Also, in December 2017, the Indian government issued an advisory to employees that the Chinese government had used popular mobile apps – including WeChat, Truecaller, Weibo, UC Browser, and UC News – to collect information on sensitive Indian security installations.

CISA believes the apps pose a “low to moderate” risk of affecting government operations, though Krebs notes that the agency has limited visibility into what government employees install on their federally contracted mobile devices.

VPNs don’t improve spotty security

For many, VPNs are synonymous with security and it’s not difficult to imagine a person of interest to foreign adversaries downloading one to a private phone in a misguided attempt to avoid becoming the next John Podesta. (Podesta’s Twitter account was hijacked and his Gmail compromised famously during the 2016 US presidential election.)

As Naked Security has pointed out many times over, your VPN is a bottleneck through which all your traffic flows. It works by encrypting your network traffic and transporting it to a server somewhere else on the internet. That server then strips off the encryption and sends your data on its way, as if it had originated from the VPN operator’s network, not from your phone or your laptop.

The encryption shields your traffic from all prying eyes other than the VPN itself, which becomes a box seat for reading your communications.

So when is a VPN useful? Paul describes it this way:

A VPN that you run at home or at work and use while you are on the road is great for what you might call ‘security predictability’: it helps you keep your security posture as good or as bad as it would be back at base. When you’re a stranger in a strange land, it can be a comfort to know your network data is nevertheless being handled as it would be at home.

But a VPN that someone else runs for you, in some other country, under someone else’s laws – well, *you* might well be at home, but now it’s your data that’s a stranger in a strange land, so your security might improve, or it might get worse. For all you know – and, of course, you *don’t* know – it might get a lot worse.