Hacker breached servers used by NordVPN

Leading VPN provider NordVPN has been forced to admit that a hacker stole an expired TLS certificate key used to securely connect customers to the company’s web servers.

According to a statement, the attack happened in early 2018 at the Finnish data centre of a service provider used by the company, exploiting a vulnerability in a remote management interface which NordVPN wasn’t told about.

Not a good look for a company offering a VPN service which customers buy to boost the security and privacy of their internet connection. However, in a statement released earlier this week the company downplayed the risk of misuse:

The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either.

There’s no evidence the stolen key was abused, nor that it could have been given its expiration.

So that’s that? Unfortunately not. Indeed this is where the story of the NordVPN hack takes a confusing turn involving rival VPN companies.

The reason we know about this incident at all is thanks to Twitter user @hexdefined who tweeted about it at the weekend:

And how did @hexdefined know about it? Because the stolen key, and probably some others, have apparently been circulating on the dark corners of the internet for some time.

The plot thickens

Earlier this week, NordVPN came clean about the incident, saying it had decided not to mention it for 18 months in case the same vulnerability was present on some of its other 3,000 servers.

As to the possibility that other VPN providers were caught up in the same hack, TorGuard released a statement admitting that one of its servers had suffered the same fate:

The TLS certificate for *.torguardvpnaccess.com on the affected server is a squid proxy cert which has not been valid on the TorGuard network since 2017…

It’s a confusing mess.

A hack happened at a service provider used by NordVPN. Somehow, two rivals were caught up in it too. It’s not clear whether this was at the same time or in a separate incident revealed by that event – so far, the statements have not made this clear.

Are these VPNs still secure?

If this had been exploited before discovery, an attacker could in principle have set up a bogus NordVPN server guaranteed by the stolen certificate and, potentially, used it for man-in-the-middle (MitM) attacks.

That risk was probably small and is no longer possible. But it’s a reminder that while VPNs offer security for network traffic in transit, and provide some degree of privacy by masking your IP address, they are still networks built out of servers, configured by people, running on infrastructure run by third-party suppliers.