NordVPN Hack: Truths You Need To Know

NordVPN is a virtual private network service provider that assures to maintain your online privacy, It has desktop applications for Windows, macOS, and Linux, mobile apps for Android and iOS, also an application for Android TV.

Exactly how it happened is a difficult tale, but we’ll start with NordVPN’s interpretation of incidents. NordVPN explained, the hackers harm a single VPN server in Finland. Its own servers were not endangered.

NordVPN declared that the breach ‘was made possible by poor configuration on a third-party datacenter’s part that we were never notified of.’

Proof suggests the hacking attack most likely took place between January 31st, 2018, when the server came online, and March 5th, 2018.

The attack was done through a compromised data center account, not an account supervised by NordVPN.

The data center discontinued this account on March 20th, 2018, blocking any additional access to the server.

Background:

On 3rd May 2018, a user on the 8chan communication board began a dialogue inviting for VPN suggestions, and other users started showing their favorites VPN such as NordVPN, Mullvad, TorGuard, VikingVPN, cryptostorm and more.

Another user created a post at 20:46, remarking on these recommendations. Mullvad and cryptostorm got an approving ‘good choice!’, but NordVPN, TorGuard and VikingVPN got a ‘lol, no’, with links to evidence revealing hacked server details from each provider: configuration files, private keys, basic session details and more.

Inspecting the text, it came to notice the VikingVPN and TorGuard links displayed to indicate session connection times and some file data from Thursday, May 3rd, the day the 8chan conversation started.

That indicates the user had not just found these somewhere, or received them from someone else; he saw the thread and picked live server data shortly. That is either a very quick hack, or the user already recognized the exposure for each provider.

NordVPN’s details did not contain any dating evidence like when did the hack happen, then? That’s where the image gets dark.

What did NordVPN users compromise?

NordVPN users have not been compromised by hackers who just got access to one expired TLS key for a single server.

First of all, the hacker did not have any access to server logs because NordVPN is a no logs VPN provider that does not reserve anything on its servers. NordVPN approved a third-party audit by PricewaterhouseCoopers verifying which is no-logs policy.

Secondly, NordVPN uses perfect forward secrecy, which activates a different key for every session using ephemeral Diffie-Hellman keys. This suggests that even with a TLS key there is little a hacker could even do, since the keys are utilized for server authentication and not traffic encryption. As NordVPN spoke of above, the hacker would require explicit access to the user’s device or network for a powerful outbreak  which is extremely impossible.

How did the hacker get the TLS keys?

The explanation to this question does not come off to be clear.

NordVPN is criticizing the data center in Finland, as they illustrated in their official response:

“The breach was made possible by poor configuration on a third-party datacenter’s part that we were never notified of. Evidence suggests that when the datacenter became aware of the intrusion, they deleted the accounts that had caused the vulnerabilities rather than notify us of their mistake. As soon as we learned of the breach, the server and our contract with the provider were terminated and we began an extensive audit of our service”.

On the meantime, the data center is accusing NordVPN in a piece published in The Register:

“Yes, we can confirm they were our clients,” Viskari continued. “And they had a problem with their security because they did not take care of it themselves.”

“All servers we provide have the iLO or iDRAC remote access tool, and as a matter of fact this remote access tool has security problems from time to time, as almost all software in the world. We patched this tool as new firmware was released from HP or Dell.”

Ultimately, there may be a third statement from a discontented employee. Who was the founder of VikingVPN, who is no longer connected with VikingVPN, told on reddit that,

“This sounds more like a disgruntled employee at Nord or the datacenter leaking the keys rather than a “hacker.”

So here we have three distinct probabilities for how the hacker could have received the expired TLS key of the NordVPN server in Finland. However, the consequence for NordVPN on users is almost zero.

What did NordVPN do next:

NordVPN after being hacked, it is worth knowing what the company has concluded from the hack, and what are their next plans?

After coming to know about the attack, NordVPN says it shortly launched a ‘thorough internal audit’ of its whole infrastructure. The company said this disclosed ‘a few servers that could potentially be at risk’ through a same remote access system, but these have either been repaired or eliminated.

Server security has been strengthened with encrypted storage, preparing it much more impossible to access information through a distant management system.

In an extremely important move, NordVPN has done a partnership with security consultancy VerSprite to work on penetration testing, intrusion handling and source code analysis.

The company is guaranteeing a ‘full-scale third-party independent security audit’ of its whole infrastructure in 2020 such as hardware, software, backend architecture and source code, and internal procedures. That seems like it will easily surpass every VPN security audit.

Longer-term plans involve creating a network of colocated servers which is exclusively owned by NordVPN which run completely in RAM. They will hold no locally stored data or configuration files, nothing that can be recognized in a hack. That is also a good step.

On October 9th, NordVPN confirmed the findings of a VerSprite audit of its apps, with 17 bugs found and fixed.

That is a huge contract. We have observed plenty of awful VPN apps to realize that many providers will most likely never take a step to that level of scrutiny.

NordVPN is conceivably the most famous VPN provider on the market. Therefore, it has a huge target on its back in a competitive sector. Hopefully, NordVPN will utilize this as an alternative of prioritizing things with more emphasis on safety and improving their VPN.