NordVPN, TorGuard, and VikingVPN breached

What Happened?

NordVPN, TorGuard, and VikingVPN were breached early in 2018. The attackers were able to gain root access of the VPN’s servers.

  • An expired private key from one of NordVPN’s Finland-based servers was stolen and published online by an attacker, exposing user data. NordVPN has since terminated the contract with the owner of the compromised servers. 

  • TorGuard only had a single server compromised. The company has confirmed they were practicing secure PKI management and the main CA key wasn’t stored in the compromised server. 

  • The details of the VikingVPN breach have yet to be confirmed by the company. 

Why does this matter?

If a cyber-criminal takes possession of these private keys, they can generate their own server certificate and/or keys to create a fake VPN service mimicking the real ones. This tactic would allow them to perform a Man-in-the-Middle (MITM) attack, spoofing the user.

Based on the information we know, the attackers could have had insights into the insecure HTTP traffic flowing through the breached servers. This knowledge would have given them the ability to tamper with the traffic by sniffing it directly or modulating it by injecting malicious traffic. NordVPN has claimed the stolen key wouldn’t have been able to decrypt traffic on other servers. 

The attackers would have also been able to see the user DNS lookups, giving away the user browsing data and defeating the purpose of using a VPN altogether. 

Although NordVPN has not released any evidence of malicious activity, they have launched a deeper investigation into their infrastructure. 

It’s important to remember that when using a VPN service, users are sending their traffic to a third party, therefore trusting them with the security and integrity of their data. 

Even though the VPN providers claim to store no logs or usernames/passwords, attackers got control of their servers. These incidents show the importance of not having a single point of failure in security and never trusting something that you can’t test yourself. 

Byos µGateway: Endpoint Micro-Segmentation

We’ve always believed there was a better way to protect computers, laptops, and tablets from attackers, without relying on a VPN. That’s why we built the Byos µGateway.

The µGateway provides endpoint micro-segmentation through hardware-enforced isolation, removing the vulnerabilities left by VPNs; instead of routing traffic to third-party servers, all of the security processing is done on the µGateway before it reaches the network. The user’s browsing is completely private because the µGateway uses DNS over TLS for encrypted browsing queries.

Endpoint segmentation using the µGateway also stops attackers from stealing data by compromising the OS and software—something a VPN cannot prevent. 

People often ask us what happens to their data when they use the µGateway. The only time the µGateway talks to our servers is when it is booting up, first checking the validity of the user’s license and then checking for available security updates. Once that process is complete, the µGateway cuts off communication with our servers and begins providing the user with Layer 1 to Layer 5 protection. And if you don’t trust us, test it yourself and let us know what you find or check out our bug bounty whitepaper.

The µGateway is the first of its kind: a portable WiFi security device for protection on any network.

For more info about VPNs used in an enterprise setting, check out The Problem with VPNs.


The Half Dozen Risks of Using Dirty Public Wi-Fi Networks

Byos Bug Bounty #2 - HardPWN 2019