Rumors and allegations regarding the hack were widespread, which is natural given that NordVPN is one of the most popular VPNs in the industry. While some of the reports about the security breach were true, they often lacked depth and context.
Some of the articles published about the breach contained questionable facts, and could be misleading to users. After weeks of investigating and monitoring the situation, here’s our take on the incident and the potential risk it posed.
The NordVPN Security Breach: Quick Facts
The NordVPN hack occurred on a single VPN server in Finland—one of the company’s more than 5,200 servers in over 59 countries.
In March 2018, an anonymous user posted TLS certificates from NordVPN, TorGuard, and VikingVPN on 8Chan. And while the post seems to have been more or less unpublicized at the time, the issue was recently brought up in a tweet, which led to a TechCrunch report on the hack.
How Can an Attacker Use an Expired TLS Key?
Here’s what NordVPN had to say about the security breach, and the chances a hacker would have of using a TLS key for nefarious purposes:
“The intruder did find and acquire a TLS key that has already expired. With this key, an attack could only be performed on the web against a specific target and would require extraordinary access to the victim’s device or network (like an already-compromised device, a malicious network administrator, or a compromised network). Such an attack would be very difficult to pull off. Expired or not, this TLS key could not have been used to decrypt NordVPN traffic in any way. That’s not what it does.
This was an isolated case, and no other servers or datacenter providers we use have been affected.”
Are NordVPN Users Compromised?
After studying all the available supporting evidence, we believe the answer is no, given that the hacker only accessed an expired TLS key for a single server in Finland.
The attacker could not have accessed any server logs, since NordVPN has a strict no-logs policy. (In late 2018 NordVPN passed a third-party audit by PwC that verified this policy, an audit which it called the first of its kind in the industry.)
In addition, NordVPN is registered and operates from Panama, a country that’s a strong advocate for privacy. It doesn’t support any data retention laws, and it’s not part of any surveillance pact by the EU or the other countries that are part of the so-called 14 Eyes.
NordVPN also uses perfect forward secrecy, a technique that generates a unique key every few seconds using the ephemeral Diffie-Hellman Exchange (DHE) keys. Thanks to this, there’s little an attacker can do with a TLS key, since the keys are primarily used for server authentication, not data encryption. Furthermore, according to the NordVPN statement above, the attacker would be required to tap directly into a user’s network or device to achieve anything significant, and that’s extremely unlikely.
Does the Breach Affect Users?
While we can’t be completely certain about the effects of the breach, the answer appears to be no. Again, there’s zero evidence to suggest that users’ traffic or information was exploited by the hacker. Therefore, since it wasn’t a data breach, we don’t see any cause for alarm.
How Did the Attacker Access the TLS Keys?
It’s not clear. NordVPN blames the data center that hosted the server in Finland:
“The breach was made possible by poor configuration on a third-party datacenter’s part that we were never notified of. Evidence suggests that when the datacenter became aware of the intrusion, they deleted the accounts that had caused the vulnerabilities rather than notify us of their mistake. As soon as we learned of the breach, the server and our contract with the provider were terminated and we began an extensive audit of our service.”
The Finland-based data center is blaming NordVPN, in a controversial official statement published in The Register:
“Yes, we can confirm they were our clients,” Viskari says. “And they had a problem with their security because they did not take care of it themselves.
“All servers we provide have the iLO or iDRAC remote access tool, and as a matter of fact, this remote access tool has security problems from time to time, as almost all software in the world. We patched this tool as new firmware was released from HP or Dell.”
And there’s even a third theory. On Reddit, the founder of VikingVPN (though no longer part of the company), argued that it seemed:
“...more like a disgruntled employee at Nord or the datacenter leaking the keys rather than a “hacker.”
Summary of Events According to NordVPN
NordVPN provided us with a few clarifications on the incident:
- We don’t have any evidence to suggest that our subscribers were impacted by the hack.
- The Finland server in question didn’t have any users’ activity logs stored on it. NordVPN client apps don’t employ users’ login details for authentication, and the data could not be accessed.
- The company’s VPN service was not breached. The code wasn’t hacked, and the VPN tunnel service was not breached either. The hack only happened on the single server.
- The attacker was able to access the server because of the security flaws caused by the data center that hosted the server. NordVPN has since cut its relationship with the third party, and the server has been erased from our network infrastructure.
Here’s the timeline of events according to NordVPN:
- The affected server was brought online on January 31st, 2018.
- Evidence of the breach appeared in public on March 5th, but NordVPN was unaware of the situation at the time. There is more evidence that this information surfaced soon after the breach incident.
- The hack was partially restricted when the data center deleted the undisclosed management account on March 20th.
- The server was shredded on April 13, 2019, moments after the company learned of the possible breach after being informed by the data center.
NordVPN Security Upgrade Plans
Following the server hack, NordVPN released a statement explaining its security upgrade plans:
“Since the discovery, we have taken all the necessary means to enhance our security. We have undergone an application security audit, are working on a second no-logs audit right now, and are preparing a bug bounty program. We will give our all to maximize the security of every aspect of our service, and next year we will launch an independent external audit of all of our infrastructure.”
As mentioned above, NordVPN is one of the few, if not the only, major VPNs to have undergone a complete third-party security audit and passed, proving they truly observe their zero-logs policy. Since then, NordVPN successfully completed another thorough security audit, in October 2019. Here’s what it said about those results:
“Low- and Medium-level vulnerabilities provide minimal access to the app and user data. Their presence is not a serious issue, but we’ve patched them all up anyway.
Every high-level vulnerability found by VerSprite required the user’s device to already be severely compromised to actually work. This means the vulnerabilities were moot—a hacker with this much access to your device would have free reign over your device anyway and could simply watch anything you do while using NordVPN instead of hacking it. These high-level vulnerabilities could have provided deeper access to the user’s data, but they have all been fixed.”
Here’s a detailed list of all the security upgrades NordVPN has already begun to implement, or intends to:
- Hired the major cybersecurity firm VerSprite to conduct advanced penetration testing on the VPN’s infrastructure, with the aim to uncover additional vulnerabilities.
- Began a “bug bounty program,” so that independent security experts who uncover vulnerabilities and report them to the VPN provider will get cash rewards. It’s not yet clear whether NordVPN will self-manage the program or have it done via a third-party company like HackerOne.
- Another full-scale third-party security audit of software infrastructure in 2020. This will include VPN software, backend procedures, infrastructure hardware, backend source-code, and internal procedures. The firm that will conduct the audit has not yet been named.
- Build a network of collocated servers that NordVPN owns. It will no longer rent servers from third-party hosting companies, which represents a security risk it can’t fully control. This means that NordVPN can now protect its server infrastructure from unauthorized access, as well as from unknown utilities like IPMI devices that led to the hack.
- An upgrade of its entire network infrastructure of over 5,200 servers to RAM servers. It will then be able to use diskless servers, in which nothing is locally stored, including the operating system. Even if a hacker were to access such servers, he would have only empty pieces of hardware with no configurations and not even any data.
Final Thoughts on the NordVPN Security Breach Incident
The fact that NordVPN has such a large user base and such an extensive network of servers around the world helped raise its profile as a target of cyber-attackers. It’s understandable why even a single server hack got so much publicity.
And we understand why the event has divided users. On one hand, some feel it wasn’t an actual hack, given that the key had expired and that no data logs where accessed. But given the potential risks involved, others have had their faith in the VPN shaken.
After a thorough review of the incident, we’re confident that NordVPN is still safe and secure to use. We’re also convinced that new security advancements being implemented and planned will make the service even better.