Americas

  • United States
jong_kim
Contributor

Recent VPN hacks reveal transparency issues within the industry and its supply chain

Opinion
Dec 23, 20195 mins
HackingNetwork SecuritySecurity

It’s time VPN vendors start minding their own kitchen before they burn the whole house down.

ipsecurity protocols network security vpn2
Credit: Getty Images

Consumers are no doubt becoming increasingly aware about the safety and security of their online activity after many highly publicized studies have shown an uptick in online data theft. According to the Federal Trade Commission, there were 3 million reports of identity theft alone in 2018.

Even though these threats — and the rash of data breaches — continue to grab headlines, consumers still are connecting to public wifi despite the threats and are joining other unsafe networks while traveling. More cautious or tech-savvy individuals know to turn to virtual private networks (VPNs) as a way to safely connect online, and as VPNs become more mainstream, some project the VPN market can grow to more than $35 billion by 2022. We’ve even seen some vendors to capitalize by creating flashy TV commercials that insinuate that they are consumers’ digital doorman. 

However, as these companies look to pull back the curtain on the nefarious digital underworld, I can’t help but wonder if the curtain has been sufficiently pulled back on their own operation? I don’t mean this as if they, too, are digital thieves taking oblivious consumers’ data (though some very well do sell your data to third parties), but instead question whether the VPN industry has been transparent about its own security protocols. 

It wasn’t that long ago that NordVPN, probably the most well-known vendor, was hacked. An attacker broke into one of its servers in an overseas data center by penetrating a surprisingly insecure remote management system left by the “unnamed” data center provider. 

While NordVPN became the latest high-tech hack and even though there’s great irony of being an insecure security system, that’s not the egregious issue here. It’s also not the fact that the breach went unnoticed for a month, though that one does sting a little extra. The real warning here is that NordVPN not only didn’t know the system was being used to support its operation, but it also had no idea the thing even existed. Think about that for a minute; a data-security vendor engaged with a core partner and didn’t audit all of the potential vulnerabilities within their partners. 

Was NordVPN just an industry anomaly that had a single lapse in judgement? Nope, we came to find out that this vulnerability not only compromised NordVPN, it also exposed others like TorGuard. Now we have a scary trend. There are already a lot of sketchy VPN providers marketing to a consumer base that is still largely unfamiliar with the technology — including those that may be willing to share your data with authoritarian governments. But now even the most “trusted” have proven that they, too, have either lax or downright sloppy protocols in place to mitigate all points of potential attacks.

Why is this such an issue? The whole situation exposes a huge question mark around whom is auditing these VPN players’ infrastructure. It also completely exposes the lack of transparency that the VPN industry has around its supply chain. Even in the wake of the NordVPN hack, the guilty data center provider was left unnamed.

When I was managing infrastructure at Google to make sure it all ran securely and efficiently, which included dealing with thousands of devices and partners, I experienced firsthand how difficult it was to have perfect visibility into the infrastructure supply chain. We went to great lengths — and had to invest a lot of resources — to map out every single integration, app and extension that our employees and partners used to do their jobs.

While not every organization has access to the same level of resources that I did at Google, many VPN providers claim to have all the best features to keep consumers safe (military-grade encryption, no logging, automatic kill switches, etc.). However, it’s all moot if they fail at keeping their servers secure. What the VPN industry seemingly lacks is a framework, infrastructure and process in place to understand the treats posed by all the vendors supporting them – including their vendors’ vendors.

There’s no doubt that it’s a hard networking challenge to solve, but it’s not without options. The supply chain and partner auditing issues are two of the reasons why I was attracted to blockchain-backed networking after leaving Google, because the blockchain developer community understands that transparency and auditing are paramount in an increasingly complex threat environment. Auditing might be a bit more straightforward because each supplier would record what they did and didn’t do on the blockchain while also signing in using their private key. In the NordVPN case, it could’ve allowed for a log of the administration tool left on the server, which might have been flagged if there was a review of the supply-chain history.

The bottom line is that it’s time these VPN vendors start minding their own kitchen before they burn the whole house down. It’s no longer enough to simply trust the VPN industry to disclose its supply chains and then assume it’ll self-police. If vendors want to truly provide the utmost transparency and lock down their infrastructure, then a good place to start is either making a commitment and investment in independent auditing or take some cues from the vigilant blockchain community.

jong_kim
Contributor

Jong Kim is the chief architect at Marconi Foundation. He's also an experienced blockchain developer, investor, and Bitcoin miner since 2011. He previously served as a Google network infrastructure lead after Appurify, where he led hardware and software development, was acquired in 2014. Jong also was the founder of HashLayer, one of the first multi-blockchain explorers, and has been a senior software engineer for Zynga and Qualcomm.

The opinions expressed in this blog are those of Jong Kim and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies