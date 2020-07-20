VPNs are all the rage these days, because they’re supposed to boost your privacy and stop you being tracked.
In fact, “VPN” has become a word in its own right, pronounced vee-pee-en, and it’s a crowded market with companies advertising online, on TV and even in print media to compete for your consumer dollars.
Most VPNs have a free app you can download, but you typically need a paid subscription to make it work or to unlock premium services.
The app will scramble all the network traffic between your device and the company’s servers, and unscramble it and release it onto the internet from there – perhaps even in a different country – which does indeed disguise the true source of your data packets, and therefore makes you harder to trace.
But the connection with privacy, and by association, with anonymity, comes from the fact that VPN is short for virtual private network, which has the word “private” right there in the name.
In truth, the “private” part of a VPN isn’t really about you being anonymous or pretending to be someone else.
The P in VPN really just refers to the idea of using a public network to transmit traffic that in the olden days would have gone across a private circuit or a leased line, and was therefore considered and managed as part of your company’s LAN, or local area network.
In fact, if you’ve ever used a company VPN – and in this era of coronavirus lockdown, it’s very likely you have – you will be well aware that your corporate VPN makes you identify yourself exactly, perhaps with a password and a 2FA token, so the company knows who you are before you connect.
Your traffic is private from surveillance as it traverses the public network, because VPNs use encryption to shield the raw network packets from being sniffed out, but your traffic is not anonymous once you are inside the virtual castle of the company network.
In short, the VPN itself knows who you are and sees what you get up to, even if the routers through which your encrypted VPN packets travel do not.
And that’s a good thing, because it means that you’re only sharing that company network with other people who are supposed to be there (you hope!) and who can be held accountable for their behaviour, rather than with a random bunch of unknown strangers.
What about the logs?
As we mentioned above, consumer VPNs can arrange to decrypt your traffic and surface it onto the public internet far away from where you are, so they not only disguise your physical location (which does indeed improve your privacy somewhat), but also let you disguise your country of residence.
For many people, that is the primary value of a personal VPN service – it lets them bypass censorship that may be applied by ISPs in their own country, and it also lets them bypass so-called geoblocking that stops them watching overseas TV shows and movies or accessing other region-limited content.
But it also means that you are putting an awful lot of trust in the VPN provider, because that provider essentially becomes your new ISP, so you need to be aware of the extent to which they do (or don’t) follow the surveillance and monitoring laws in the various countries where they operate.
Many VPNs tell you that “they don’t keep any logs at all”, and therefore that they would have nothing on you that they could hand over to law enforcement even if they wanted to.
But many countries have legal mechanisms whereby various authorities – with without a warrant, depending on the jurisdiction – can compel a service provider not only to start keeping logs for specific individuals, but also to keep quiet about the fact – in other words, they have to keep logs of your traffic, but they are gagged from warning you up front, and they can’t tell you even if you ask.
This legal peculiarity led to a trend, a few years ago, of so-called “warrant canaries“, which were like canaries in coal mines that signalled dangerous gases by falling unconscious and dropping off their perches. Companies would regularly put notices into web pages or documents to say that they were not currently under any sort of gagging order. The idea was that removing the “negative gag” notice, which would essentially be a legal requirement if a gag order were applied, would therefore act as if the company had added a “positive gag” notice. This would therefore comply with the letter of the law, if not exactly its spirit. This sort of legal sophistry is not widely used any more, not least because it turned out to be quite confusing.
Of course, some VPNs will assure you that this can’t happen to them (and therefore indirectly to you) because their companies are registered in countries where such legal provisions don’t exist.
But any VPN knows where you are and, to some extent at least, who you are while you’re using the system, and may even need to keep what amount to in-memory logs – ephemeral data, to use the jargon term – for some or all of each session, just to make the service work reliably.
What you have to assume, therefore, is that anything they know about your traffic for the purposes of handling it while you are online never gets saved anywhere permanent, whether by accident or design.
And history suggests that ephemeral data – stuff that should evaporate forever from memory once it is no longer needed, and never get written to disk or forwarded to another server – has a way of surviving when it shouldn’t.
After all, in recent memory, both Google and Facebook admitted that, sometimes, passwords you had typed in during the login process – data that was only ever supposed to be held in RAM and get scrubbed after it had been validated – had accidentally been sent off in plaintext and saved in logfiles deep in their respective systems.
Facebook discovered in 2019 that it had committed hundreds of millions of passwords to disk, and set about finding and purging them; Google also admitted that it had incorrectly been saving away some passwords – we don’t know how many, but we know that the data went back for 14 years to 2005.
In other words, logging the unloggable is easy to do even if you genuinely set out not to do it, and even if you are two of the biggest internet companies out there, with large and well-funded cybersecurity teams.
What happened this time?
According to a report published last week by VPNMentor (note: VPNMentor earns affiliate revenue from links to and coupons for selected VPN companies that it recommends), its researchers stumbled across copious user logs from seven VPNs operating out of Hong Kong.
(VPNMentor named the affected services as follows: UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, Rabbit VPN.)
Further digging suggests that these seven products were all rebranded from one main provider – software and IT services are often sold in this way, with the same (or very similar) code and back-end systems forming the core of offerings from several different licensees.
As you have probably guessed by now, this data wasn’t supposed to be publicly accessible, but was exposed via a cloud database – ElasticSearch, in this case – that had not been correctly configured.
According to VPNMentor, about 1 billion database entries relating to approximately 20 million users (so that’s an average of 50 items per user) were exposed, including various data fields including:
Activity logs, PII (names, emails, home address), cleartext passwords, Bitcoin payment information, support messages, personal device information, tech specs, account info, direct Paypal API links.
So not only did these VPNs collect data that they ought not to have retained at all, such as plaintext passwords, but they inadvertently exposed it publicly.
Furthermore, VPNMentor claims that “[a]ccording to their respective websites, every VPN [on the list] provides military-grade security features and zero logs policies to reinforce their users’ information security.”
Or, it would seem, don’t follow “zero logs” processes at all.
What to do?
The burning question here, especially with many of us working away from the office these days, is, “Do I need a VPN now I’m working from home?”
We discussed this topic in our weekly Naked Security Live video, back in April 2020 when UK and US lockdowns first started:
16 comments on “7 VPNs that leaked their logs – the logs that “didn’t exist””
What happened to the good old Raspberry Pi + OpenVPN = A single night confiuration fun? Sounds like the only person you can trust anymore is yourself. Assuming you did the due diligence, you should be able to trust your home ISP. So just route your own traffic to your equipment and problem solved. Don’t have to worry about a third-party not doing what they said they were or weren’t going to do. It is just you and you can do with the logs with whatever you want with them.
(Not putting in a name due to Meta Data Leakage!)
The problem is – especially in these coronavirus times, as we discuss in the video – many of the people who are using VPNs are already at home when they’re doing so, and therefore just plugging their own laptop directly into their own router already ensures that their own traffic is going to their own equipment…
…but they’re using the VPN to sidestep their own ISP/government/country to get around tracking/censorship/not being able to watch the TV shows they want.
In the BC (before coronavirus) era I just used a home SSH server to set up tunnels if I really needed them while I was off in London/Brussels/Amsterdam/Edinburgh/my local coffee shop. But I haven’t been off anywhere much lately, except into bluebell woods to record socially distanced Naked Security Live videos which were meant to be public anyway. (For the video I just relied on 4G from my mobile provider.)
I have a VPN setup to connect to my Sophos UTM home firewall when I’m out and about remotely. I’ve been seriously considering setting up a Digital Ocean droplet or AWS instance to host a VPN in another location. I should imagine the cloud providers would keep logs though, even if the VPN provider doesn’t. Unless the VPN providers own their own data centres chances are there are mountains of logs somewhere. Most likely just flow data but you never know.
For my personal VPN I do keep logs mainly for security, monitoring and diagnostic purposes should something go wrong.
It makes me wonder how VPN providers diagnose issues and detect evil if there are no logs whatsoever? If they’re sanitising logs how well are they doing it? How are they doing security monitoring? If some bad guy finds a zero day in OpenVPN, Cisco ASA and the like (it happened to Citrix Netscaler earlier this year so nobody is immune!) and starts attacking VPN concentrators it could be seriously bad news. Of course as more sites transition to https and DoH that makes performing evil a little harder but still it would be bad news indeed!
I assume all three of your question-marked sentences are rhetorical :-)
As always, the problem with being certain that someone is not doing X is that unless there exists some Y, where Y precludes X and the person can show they were doing Y instead (I think the word I am after is “alibi”), you are kind of stuck and have to use other ways to figure out whether to believe them. “Have you ever had a Kylie Minogue song stuck so you just can’t get it out of your head?” Some of us never have… but we’ll never be able to prove it.
“I just can’t get you outta my head….” hmm-mmm-mmm-hmm-mmm-mmm-hmm-mmm-mmm-mmm… D’OH!! Dammit!!!
I’ve never even heard of these. Immediate red flag.
(VPNMentor named the affected services as follows: UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, Rabbit VPN.)
Hong Kong based is a large red flag for me!
Candidly, can anyone trust any VPN provider to behave honourably? It’s always said that you should only use ones that you pay a subscription for, but can anyone prove that these are any more trustable than free ones?
I always feel that an actor from a countries government, whether in the East or West, could set up a company in a country not a member of the Five Eyes taking care that they keep this fact secret from the other employees, and then enjoy free access to the traffic flowing through their servers and passing back the useful bits to their government.
In this case it doesn’t look as though there was any subterfuge. In other words, even before you get to the words “behave honourably” you have to get past “do not shovel stuff into unprotected public cloud buckets at all, whether it’s secret stuff or not”. Once you get past “doh”!” you can start thinking about the “hmmmmmm?” aspects :-)
Just to bring it back to my original question – how can you trust any VPN provider? It seems to me that they all claim to be doing to do the right thing, but are just a bunch of unknowable people who handle your personal data.
I reallt don’t know. You could ask a similar question about ISPs, except that they are generally [a] local and [b] at least somewhat knowable.
This is particularly unfortunate, given the current situation in Hong Kong, and the lowering of the Great Firewall of China around it. While not going so far as suggest that this log leak was intentional or political, I assume the Chinese authorities might nonetheless be quite interested in knowing about the Hong Kong residents who choose to use a VPN service.
Ouch.
I am reminded of a 1970 incident where a salesperson came around to my company and demonstrated some software. Before leaving, he “removed” it, 😉 You can guess, the mainframe had backed it up; that was found out by the IT guys later. In this case they were ethical and did remove it from the backup; I think.
Accidents and deliberate subterfuge happens. Until we get laws, end-to-end encryption, and some sort of routing obfuscation, we need to anticipate leakage (: So just send, sanitized, love letters; even to politicians (ugh).
So pretty much make sure your VON isn’t chinese owned or operated.
Well using a VPN doesn’t always work as I found out trying to access Amazon Prime video from outside of the country. Amazon seemed to know I was using a VPN and would not allow me to watch the video, even though I was a prime member. (I have since closed my Amazon accounts for other reasons.)
I think they go by the credit card address. At least that’s what they told me. The licensing of content, whether books or movies, can be downright byzantine: with stuff being available in Vanuatu but not in Fiji etc, and these restrictions are not necessarily the fault of Amazon, infuriating though they may be.