NordVPN is one of the best VPNs on the market today, with a network spanning more than 5,000 servers. However, even the best can fail sometimes.
And something like that happened, though it’s nothing drastic – don’t get into the panic mode just yet.
NordVPN has confirmed that one of its servers was accessed without authorization.
The group behind this incident calls itself KekSec; it managed to access a server and leak Nord’s OpenVPN configuration and associated private key as well as TLS certificates.
According to NordVPN, hackers managed to gain access to a rented server in Finland by exploiting an insecure remote management system left by the data center provider.
How we got here?
It all started in March 2018, when TLS certificates belonging to NordVPN, VikingVPN, and TorGuard web servers were posted on 8chan. These certificates have now expired but were current at the time of posting.
Said certificates enabled hackers to get root access to the affected servers’ web container, which then provided them with the ability to tamper with data passing through them.
The important thing is that hackers were not able to access any user account information as that data is located in a different location. In other words, hackers were only able to meddle with the data passing through that specific server in Finland, whereas users connecting to servers in other parts of the world were unaffected. At all.
There is a problem, though
What’s somewhat scary is that NordVPN’s private SSL keys — as well as those of VikingVPN and TorGuard — were floating around for some time mostly unnoticed. This is a problem, when you think about it, despite the fact that SSL keys alone are not enough for any hacker to wreak havoc. Nonetheless, SSL keys are part of the bigger security setup of any VPN provider and protecting them properly is important.
According to NordVPN, neither TLS Certificate nor VPN Keys can be used to decrypt regular VPN traffic or previously recorded VPN sessions.
The company’s OpenVPN sessions use perfect forward secrecy (ephemeral encryption keys) via DHE-2096 Diffie-Hellman keys during the TLS key exchange. This, in turn, ensures that even if a VPN session was brute forced – only one hour of the VPN session would be compromised before the key was changed.
NordVPN isn’t the one to blame?
In its blog post describing the incident, NordVPN explained that only a single server in Finland was affected, adding that at least part of the blame lies with the server center staff:
“The attacker gained access to the server by exploiting an insecure remote management system left by the data center provider,” NordVPN writes. “We were unaware that such a system existed.”
We’re not sure we completely agree with this, as we would think NordVPN has enough resources to place its own servers in all of its locations, or at the very least, inspect them thoroughly.
“We have many clients, and some large VPN service providers among them, who take care of their security very strongly,” Niko Viskari, CEO of the data center where NordVPN’s server was located, told The Register: “NordVPN seems it did not pay more attention to security by themselves, and somehow try to put this on our shoulders.”
Viskari went on to explain that all servers provided by his company use the iLO or iDRAC remote access tools, which have known security issues from time to time — but the server center keeps them patched with the latest firmware updates.
Unlike its other customers, NordVPN did not ask for these tools to be restricted by placing them “inside private nets or shutting down ports until they are needed.”
Lesson learned…
NordVPN, on its end, claims it didn’t even know these tools existed, but if it had set up its own servers – the problem would have never arisen.
We are confident the lessons from this incident have been learned and that going forward, NordVPN will do whatever it takes for this scenario not to be repeated again. Cause at the end of the day, more damage has been done to NordVPN’s reputation than to its users’ privacy.
“Even though only 1 of more than 3000 servers we had at the time was affected, we are not trying to undermine the severity of the issue” NordVPN said in its statement.
We at VPN Reports still consider NordVPN to be one of the best VPNs around. In a way, this hack even proves that, since no user data was affected nor did anyone notice any performance hiccups.
Pros
Cons
- 5,000+ servers in the network
- Easy to use - install it and forget it
- One license is good for up to 6 devices
- Strict zero-logs policy
- 30-day money-back guarantee
- Chrome extension is just a proxy