Before we get into the latest scary-virtual private network (VPN) news, let’s do as Naked Security’s Paul Ducklin advises and repeat after him:
A VPN doesn’t magically improve security. All it really does is to make your VPN provider into your new ISP – your “first hop” on the internet. That first hop is the one place where a single provider gets to see all your traffic, whether it’s encrypted or not. You need to trust your VPN provider. A lot.
Many people do trust their VPN provider. A lot. Unfortunately, some of them shouldn’t, going by what a Department of Homeland Security (DHS) higher-up recently said.
In a letter sent to Senators Ron Wyden and Marco Rubio on 22 May 2019, Chris Krebs, director of DHS’s Cybersecurity and Infrastructure Security Agency (CISA), wrote that foreign adversaries are interested in exploiting VPN services. From the letter:
Open-source reporting indicates nation-state actors have demonstrated intent and capability to leverage VPN services and vulnerable users for malicious purposes.
Krebs was writing in response to a 7 February 2019 letter sent to him by the senators, who are concerned about threats posed by apps created in countries of national security concern to the US.
The senators noted that mobile browsers such as Yandex, Dolphin and Opera use their own servers as an intermediary for user traffic, compressing the pages before delivering them to users in order to save data. Similarly, VPN providers route traffic through their own servers in order to mitigate privacy concerns – nominally, at least, the senators said.
Potential security risks are of particular concern when it comes to government employees using VPNs, mobile data proxies, or other apps that might be vulnerable to foreign government surveillance, the senators said. They noted that the US government has already recognized the national security risks posed by Chinese telecom equipment, for one: a year ago, the Pentagon banned Chinese smartphones from military exchanges.
Six years prior, the US House of Representatives issued a report recommending that Huawei and ZTE be banned because of concerns over spying. A year-long investigation had shown that the companies had maintained close ties to the Chinese Communist Party and People’s Liberation Army back home while trying to expand their US businesses.
No overarching policy to stop it
In Krebs’ reply to the senators, he said that there’s no overarching US policy preventing government mobile device users from downloading foreign VPN apps. He also referenced the National Institute of Standards and Technology (NIST), which has published Guidelines for Managing the Security of Mobile Devices in the Enterprise. From those guidelines:
Mobile devices are manufactured to easily find, acquire, install, and use third-party applications from mobile device application stores. This poses obvious security risks, especially for mobile device platforms and application stores that do not place security restrictions or other limitations on third-party application publishing.
Recent problems with third-party apps published to app stores have included government spyware hiding in plain sight in Google Play, for example.
Krebs said that according to “open-source reporting”, the Russian government in November 2017 enacted laws that force domestic and foreign VPN providers to participate in Russia’s blacklist enforcement system: a system that allows the government to “access and influence Russia-based VPN providers,” such as Yandex. Also, in December 2017, the Indian government issued an advisory to employees that the Chinese government had used popular mobile apps – including WeChat, Truecaller, Weibo, UC Browser, and UC News – to collect information on sensitive Indian security installations.
CISA believes the apps pose a “low to moderate” risk of affecting government operations, though Krebs notes that the agency has limited visibility into what government employees install on their federally contracted mobile devices.
VPNs don’t improve spotty security
For many, VPNs are synonymous with security and it’s not difficult to imagine a person of interest to foreign adversaries downloading one to a private phone in a misguided attempt to avoid becoming the next John Podesta. (Podesta’s Twitter account was hijacked and his Gmail compromised famously during the 2016 US presidential election.)
As Naked Security has pointed out many times over, your VPN is a bottleneck through which all your traffic flows. It works by encrypting your network traffic and transporting it to a server somewhere else on the internet. That server then strips off the encryption and sends your data on its way, as if it had originated from the VPN operator’s network, not from your phone or your laptop.
The encryption shields your traffic from all prying eyes other than the VPN itself, which becomes a box seat for reading your communications.
So when is a VPN useful? Paul describes it this way:
A VPN that you run at home or at work and use while you are on the road is great for what you might call ‘security predictability’: it helps you keep your security posture as good or as bad as it would be back at base. When you’re a stranger in a strange land, it can be a comfort to know your network data is nevertheless being handled as it would be at home.
But a VPN that someone else runs for you, in some other country, under someone else’s laws – well, *you* might well be at home, but now it’s your data that’s a stranger in a strange land, so your security might improve, or it might get worse. For all you know – and, of course, you *don’t* know – it might get a lot worse.
Will
OK, so if you’re going to use one, you need to trust your VPN provider. I thought that went without saying, but perhaps for the masses (who don’t read NS) that reinforcement from DHS will help.
Can we pause for a moment and note the simply ludicrous statement that the government has limited oversight/control as to what employees download to their government-issued phones?? That can’t possibly be accurate (unless it’s limited to CISA’s visibility, which is still concerning). Even small businesses can get their hands on strong Mobile Device Management software these days.
Paul Ducklin
I think a lot of people assume that because a VPN changes their apparent location online, it therefore makes them anonymous and keeps them private from everyone, including the VPN provider itelf.
It’s appealing to assume that cybersecurity is that simple – in the same way that people download the Tor Browser and imagine it’s an all-you-need invisibility blanket.
Ironically, I’ve even heard people who have chosen a VPN provider specifically to help them watch TV illegally (by pretending they’re in another country) arguing that the provider must also, ispo facto, have their personal cybersecurity at heart, and therefore that their identity is sure to be safe. I guess it’s inconvenient to stop and think that someone who’s knowingly helping you to violate copyright rules might just choose to throw you under the bus to save themselves if the cops in their country come knocking…
(NB. I am not suggesting or implying that VPN providers are rogues “just because”. I am merely noting that there seems to be a willingness on the part of many people to assume that no VPN provider could ever sell them out *even if the provider wanted to*. In other words, VPNs seem to have been dusted with some sort of cybersecurity magic, whoever is running them, and where, and for whom. In three words: stop, think, connect.)
Will
You make a great point, though I think this falls under the heading of “if it seems too good to be true, it probably is”. The wildcard is always going to be the human element. This is why choosing a VPN provider, a home security system or the like involves the most important currency: trust.
Spryte
I liken using a VPN to storing my dat “on someone else’s computer”… The same info you pass to your ISP you pass to the VPN. Keep that in mind.
There was a time when I had a VPN, found I never used it it then discontinued it.
Ismail
VPNs should always be used and any traffic sent over their networks should always be encrypted before entering it. In the US, most ISPs can not be trusted to not monitor connections and scrape info from them. They do so passively and without notifying users what they are doing. That info gets passed on to companies willing to pay for it and whatever governmental agencies interested in obtaining it.
Using a VPN prevents local ISPs from doing that and using always-on encryption prevents the VPN providers from doing the same.
People should honestly trust neither. And the DHS “warning” is like a wolf warning the chickens to watch out for foxes.
Paul Ducklin
You could swap around the words “VPN” and “local ISP” in your comment and it would amount to the same thing… the whole problem is that it’s not that one is inevitably better than the other, at least if you live in a nominally democratic country such as the US or UK.
The -P- in VPN doesn’t guarantee your privacy at all – it’s just a way of having a hop in your connectivity that’s more private than the Wi-Fi at the coffeeshop or the public internet. Saying that a VPN ensures privacy is like saying that autopilot system in a Tesla car is a “driver replacement.” (Actualy, its like saying that the Tesla Autopilot is an autopilot, but that’s an argument for another day.)
john gizzi
ok, so how can u know if the VPN cam be trusted? useless article without a follow-up
Mark Stockley
You don’t.
barb
gotta try to find otu info about it, like which country based in, something about the founders/owners and their philosophy or culture. Even then it’s hard to knwo how reliable such info is, ti’s lke trying to trust what politicians say.