Recently, NordVPN admitted that one of its servers in Finland suffered a security breach in early 2018. The issue occurred due to a vulnerability in a remote management system used by the datacenter. In the breach, the attacker stole a NordVPN Transport Layer Security (TLS) key that may be used to impersonate the website or VPN servers, but would not allow to decrypt traffic. The other thing stolen was OpenVPN keys, potentially allowing an attacker to set up servers posing as legitimate NordVPN servers. Similarly to the TLS key, however, the OpenVPN keys could not be used to decrypt data.
The breach could have exposed users to a “personalized and complicated” man-in-the-middle attack on a single connection trying to access nordvpn.com. This would allow the attacker to see unencrypted traffic.
To illustrate the complexity of such an attack, here’s a list of steps the attacker would have to take:
- Get access to a network or compromise a user’s device, where they can insert themselves between the user and the NordVPN server
- Insert themselves between the user and the NordVPN server by using some variant of a spoofing technique, essentially fooling your device that the attacker is the intended recipient of network communications
- Impersonate the server using the stolen key
According to NordVPN’s article about the breach, “the key couldn’t possibly have been used to decrypt the VPN traffic of any other server.” Since NordVPN keeps no logs, usernames and passwords wouldn’t have been intercepted either. The company quickly terminated the server when the breach was discovered, limiting the scope of the impact to its users.
It’s at this point we should note that this is one server that was breached from an entire fleet of 3,000+ worldwide (a number that has grown since 2018), a breach that seems to have limited impact.
But in the midst of all this hullabaloo, another more interesting story is beginning to emerge: a story of one tech publication stoking the fires to make NordVPN’s security incident seem bigger than it is while ignoring similar breaches from TorGuard and Avast Secureline VPN.
The media response
Long before other publications got wind of NordVPN’s security breach, TechCrunch’s Zack Whittaker wrote a searing piece on the impact of the situation based on a thread from Twitter user @hexdefined. While the article that Whittaker writes starts off objectively, it begins to veer quite quickly into speculation, spreading “FUD” – Fear, Uncertainty, Doubt.
This is done largely with the help of a “senior security researcher” Whittaker claims to have spoken to, one who doesn’t hold back on piling on the fear and thereby elevating a normal story to something Oscar-worthy.
This unnamed “security researcher” makes the following serious claims:
- “this is an indication of a full remote compromise”
- “should be deeply concerning to anyone who uses or promotes these particular services”
- “Your car was just stolen and taken on a joy ride and you’re quibbling about which buttons were pushed on the radio?”
This entire issue of the anonymous security researcher was disastrously misunderstood by PCGamer, who decided that the security researcher was – somehow – actually “one NordVPN researcher, who declined to be identified.”
Is there anything to the senior researcher’s allegations?
There is ostensibly just one serious claim made by the nameless researcher worth commenting on from a technical perspective. This is the claim that NordVPN’s revelations indicate a localized breach that could have spread throughout the whole network: “[the evidence] is an indication of a full remote compromise of this provider’s systems.”
We have reached out to NordVPN for a comment on this claim. According to representatives at the company, this could not possibly be true:
“Our infrastructure is built in such a way that the breach of a single VPN server will always be isolated to that particular server. It is impossible to reach any other part of our core infrastructure (databases, the web, or other VPN servers) from a single VPN server. The NordVPN infrastructure doesn’t “trust” our VPN servers and was designed this way from the very early days of NordVPN.”
It is unclear what the allegation presented in the TechCrunch article is based on, but there’s next to no actual substance behind it – rather, it seems to serve as an instrument to attract more attention to the story.
Bottom line
One final thing to note on this topic is that TechCrunch, where much of the escalation to this story originated, may not be entirely unbiased – something that was not disclosed in the article. The website is owned by Verizon, which operates a VPN service of its own called Safe Wi-Fi. Secondly, the ISP has been instrumental in the push to repeal net neutrality in the US – something VPN services can help get around.
In reality, the NordVPN server breach, while unfortunate, seems to be limited, and the company seems to have taken the necessary precautions to stop such events from happening in the future.