Leading VPN provider NordVPN has been forced to admit that a hacker stole an expired TLS certificate key used to securely connect customers to the company’s web servers.
According to a statement, the attack happened in early 2018 at the Finnish data centre of a service provider used by the company, exploiting a vulnerability in a remote management interface which NordVPN wasn’t told about.
Not a good look for a company offering a VPN service which customers buy to boost the security and privacy of their internet connection. However, in a statement released earlier this week the company downplayed the risk of misuse:
The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either.
There’s no evidence the stolen key was abused, nor that it could have been given its expiration.
So that’s that? Unfortunately not. Indeed this is where the story of the NordVPN hack takes a confusing turn involving rival VPN companies.
The reason we know about this incident at all is thanks to Twitter user @hexdefined who tweeted about it at the weekend:
So apparently NordVPN was compromised at some point. Their (expired) private keys have been leaked, meaning anyone can just set up a server with those keys... pic.twitter.com/TOap6NyvNy
— undefined (@hexdefined) October 20, 2019
And how did @hexdefined know about it? Because the stolen key, and probably some others, have apparently been circulating on the dark corners of the internet for some time.
The plot thickens
Earlier this week, NordVPN came clean about the incident, saying it had decided not to mention it for 18 months in case the same vulnerability was present on some of its other 3,000 servers.
As to the possibility that other VPN providers were caught up in the same hack, TorGuard released a statement admitting that one of its servers had suffered the same fate:
The TLS certificate for *.torguardvpnaccess.com on the affected server is a squid proxy cert which has not been valid on the TorGuard network since 2017…
It’s a confusing mess.
A hack happened at a service provider used by NordVPN. Somehow, two rivals were caught up in it too. It’s not clear whether this was at the same time or in a separate incident revealed by that event – so far, the statements have not made this clear.
Are these VPNs still secure?
If this had been exploited before discovery, an attacker could in principle have set up a bogus NordVPN server guaranteed by the stolen certificate and, potentially, used it for man-in-the-middle (MitM) attacks.
That risk was probably small and is no longer possible. But it’s a reminder that while VPNs offer security for network traffic in transit, and provide some degree of privacy by masking your IP address, they are still networks built out of servers, configured by people, running on infrastructure run by third-party suppliers.
Spryte
Yes,those darn “people… and infrastructure run by third-party suppliers”.
Anonymous
Could it be possible that some attacker captured encrypted traffic in the past and now with the private key able to decrypt as a result?
MrGutts
It wouldn’t be hard.
Anon
Not if the key exchange between client and server was done with Diffie-Hellman algorithm. In DH, the client and server independently calculate their own own copy of the symmetric key (session key) used for encryption; and it is done often. It is never transferred over the wire. AKA, Perfect Forward Secrecy. Compromise of the servers private key does not result in the compromise of the individual session keys in this case.
Jones
The chances that someone might actually be affected by this are around zero. NordVPN has like what 15 Million customers and that Finnish server just had several users who are at any risk. This story just serves to demonstrate how the media can create a huge drama from thin air. But it’s all about them clicks nowadays isnt it.
Master Durandal (@DurandalMaster)
Wow! Looks like a whole bunch of people who promoted this service on their YouTube channels are going to need a lot of apologizing to do.