NordVPN admits it was hacked

NordVPN, one of the most prominent and respected consumer VPN providers, has confirmed that one of its servers was accessed without authorisation. 

The story broke after NordVPN posted a rather impulsive and foolhardy statement on Twitter.

NordVPN tweet

Rather than a statement of fact, the twitterverse saw this as a challenge and it wasn’t long before a group calling itself KekSec revealed that hackers had accessed a server and leaked Nord’s OpenVPN configuration and associated private key as well as TLS certificates.

Keksec twitter response

NordVPN has now acknowledged the breach, stating that an attacker gained access to a rented server in Finland by exploiting an insecure remote management system left by the datacenter provider.

Background

In March 2018, TLS certificates belonging to NordVPN, VikingVPN, and TorGuard web servers were posted on 8chan. These certificates have now expired but were current at the time of posting. Despite NordVPN’s efforts to downplay the breach, the publication proves without a doubt that NordVPN has been compromised at some point in the past. 

Whoever obtained these certificates must have had root access to the affected servers’ web container and would therefore have had full control over the servers, including the ability to sniff and tamper with data passing through them.

In theory, this also means that anyone could have setup a dummy website purporting to belong NordVPN, VikingVPN, or TorGuard, which your browser would have accepted as being genuine. Indeed, someone has even posted an example of such an attack in action:

 Tianyu Zhu homepage

NordVPN, however, told us that such a MitM attack would not be possible unless an attacker was able to hack into a user’s person's computer or to intercept and modify their network traffic.

The bigger issue

It has also become apparent that the private SSL keys for NordVPN’s OpenVPN certificates “have also just been floating around mostly unnoticed” for some time now. Yikes! This has fueled speculation that an attacker could decrypt users’ VPN sessions, including past VPN sessions, allowing them to see what NordVPN customers got up to online.

Again, NordVPN was keen to pour cold water on this idea. “Neither TLS Certificate or VPN Keys can be used to decrypt regular VPN traffic or previously recorded VPN session,” they told ProPrivacy.

It’s worth remembering, NordVPN’s OpenVPN sessions use perfect forward secrecy (ephemeral encryption keys) via DHE-2096 Diffie-Hellman keys during the TLS key exchange. So even if a VPN session was brute forced at huge cost in money, effort and computing power, only one hour of the VPN session would be compromised before the key was changed.

Although this point may be moot since the attacker clearly had root access to the VPN server.

The blame game

NordVPN has published an official statement on the incident, in which it explains that only a single server located in Finland was affected. It also says that fault lies with the server center staff:

“The attacker gained access to the server by exploiting an insecure remote management system left by the datacenter provider. We were unaware that such a system existed.”

We have to say, though, that we feel a company as large as NordVPN should be sending out its own technicians to setup its own bare-metal VPN servers, rather than relying on potentially untrustworthy third-party server staff to setup their VPN servers.

In our view, a VPN service should have complete control over its servers. Doing this would go a long way towards hardening a VPN server network against all threats. Interestingly, this is also a view held by Niko Viskari, CEO of the server center in question:

"Yes, we can confirm [Nord] were our clients," Viskari told The Register. "And they had a problem with their security because they did not take care of it themselves.

...they had a problem with their security because they did not take care of it themselves

Niko Viskari

"We have many clients, and some large VPN service providers among them, who take care of their security very strongly,” he said, adding: “NordVPN seems it did not pay more attention to security by themselves, and somehow try to put this on our shoulders."

In his statement, Viskari goes on the explain that all servers provided by his company use the iLO or iDRAC remote access tools. These have known security issues from time to time, but the server center keeps them patched with the latest firmware updates from HP and Dell.

Unlike other its other customers, NordVPN did not ask for these tools to be restricted by placing them “inside private nets or shutting down ports until they are needed.”

NordVPN, for its part, claims it didn’t even know these tools existed; but if it had setup its own servers the problem would have never arisen.

“We did not disclose the exploit immediately because we had to make sure that none of our infrastructure could be prone to similar issues.”

Which does not explain why the issue took some 18 months to come to light, with NordVPN only finally admitting to it in the wake of a Twitterstorm which saw damning evidence widely published on the internet.

At the end of the day, though, more damage has been done to NordVPN’s reputation than to its users’ privacy.

"Even though only 1 of more than 3000 servers we had at the time was affected, we are not trying to undermine the severity of the issue" the provider said in its statement.

"We failed by contracting an unreliable server provider and should have done better to ensure the security of our customers. We are taking all the necessary means to enhance our security. We have undergone an application security audit, are working on a second no-logs audit right now, and are preparing a bug bounty program. We will give our all to maximize the security of every aspect of our service, and next year we will launch an independent external audit all of our infrastructure to make sure we did not miss anything else."

ProPrivacy statement

ProPrivacy is dedicated to providing its users with advice they can trust. We regularly include NordVPN in our recommendations because of the fantastic service they offer. In light of this breaking story, we will be removing NordVPN from our security and privacy related articles until such time as we are confident that their service meets our expectations and those of our readers.

Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at ProPrivacy.com. Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.

1 Comment

  1. Felihita2

    on November 7, 2019
    Reply

    Is the data center for real? "We have many clients, and some large VPN service providers among them, who take care of their security very strongly,” Nordvpn IS the large VPN service provider and so are the other ones who were breached, what is he on about, their services failed to provide secure servers and that's that.. NordVPN is going through security changes we will see how much they will change because of this VPNs out there (moving to RAM and the new bug bounty program https://nordvpn.com/blog/security-plan/ ) But if you are worried about something else than security, then I don't know what to tell you..

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

Large brand with very good value, and a budget price

The fastest VPN we test, unblocks everything, with amazing service all round

Longtime top ranked VPN, with great price and speeds

One of the cheapest VPNs out there, but still a good service