NordVPN is one of the most popular and well-known VPN services on the market. It is used by many people to ensure privacy when using the internet; however, the firm has recently announced that it has suffered a security breach.
The announcement came following a post on Twitter by a security researcher who claimed that an unknown individual had stolen private encryption keys that ensure traffic through its servers remain private and confidential. The keys would have allowed traffic to be intercepted and decrypted on a compromised server.
NordVPN announced in a blog post that it was aware of the security incident and that it was limited to a specific server at a third-party data center in Finland, and that the security breach occurred in March 2018. NordVPN says the server was vulnerable for a period of around six weeks between January 31, 218 and March 20, 2018. During that time, NordVPN believes it was subjected to unauthorized access only on one occasion.
In order to provide its VPN service in locations around the world, NordVPN uses servers in many third-party data centers. In this case, a previously compromised server was being used by NordVPN and the attacker used an insecure remote management tool that had been inadvertently left on the server by the company responsible for managing the server. Through that tool, three TLS encryption keys were stolen. Those keys were used to protect users’ traffic against unauthorized access.
The breach only affected traffic routed through one specific server, and since NordVPN does not store logs of the sites that its users have accessed, so past internet traffic could not be viewed. Since user-created credentials are not sent for authentication, the security breach would not have allowed the attacker to obtain usernames or passwords.
Further, typically, when a user connects to a specific location via NordVPN, their connection only remains on one server for around 5 minutes before the server is switched. Therefore, any traffic that was intercepted would only have been intermittent for any one particular user.
The company has around 3,000 servers and just one was breached, so the number of affected individuals is likely to be relatively low. Since no logs of user activity are retained by NordVPN, it means there is no way of knowing exactly how many users have been affected. That said, at the time of the initial breach, server loads suggested there were between 50 and 200 active users.
According to NordVPN, the unauthorized individual responsible for the hack would have been able to see the sites that were being accessed by users at the time, but since most websites are on HTTPS, the connection between the browser and those sites is encrypted. Consequently, all traffic to those sites would remain private. Only traffic to HTTP sites would have been viewable. Further, NordVPN said any attack would have had to have been personalized and conducted one person at a time.
NordVPN also claimed in the blog post that the TLS keys that were stolen had expired, although what wasn’t mentioned was the keys were valid at the time they were stolen and only expired in October 2018. That meant they were valid for 9 months following the initial security breach.
As for the delayed disclosure, which came only after the Twitter post, NordVPN said it was waiting to disclose the incident to allow an audit to be completed on other servers to determine whether this was an isolated incident. It has confirmed that this was an isolated incident and only one server in Finland was compromised.
Notifications will be issued to customers and the company that maintained the vulnerable server is no longer being used.
While the breach appears to be relatively minor, the lack of transparency is of concern. NordVPN downplayed the extent of the breach, but according to the Pastebin logs posted on Twitter by Kenneth White, Director of the Open Crypto Audit project, the attacker had full remote admin access to the Finland node containers. “That’s God Mode folks… and they didn’t log and didn’t detect it. I’d treat all their claims with great skepticism.”
The incident – along with other recent breaches VPN services such as TorGuard and VikingVPN, show that no VPN service is able to offer total privacy. Breaches may occur that could reveal the sites that users have accessed, if the VPN service maintains logs. That means, in some cases, breaches could result in browsing histories being exposed that could be tied to a particular user. That would give a hacker significant blackmail opportunities.