UPDATED May 13, 2020, with clarification from VPNpro.
Two prominent VPN services could have been hacked through malicious software updated, researchers from news website VPNpro (opens in new tab) discovered. If you were using one of them, your computer could have been completely hijacked with almost any kind of malware before you realized it.
The two VPN services, Betternet and PrivateVPN, have since fixed the flaws. But beforehand, you could have infected Betternet and PrivateVPN client software on a Windows PC with fake software updates downloaded in man-in-the-middle attacks, in which the client software would not realize it was getting updates from a malicious source instead of the legitimate software-update server.
“Rather than protect their users’ data, PrivateVPN and Betternet [had] overlooked a crucial security aspect that allows for malicious actors to steal that data or do even worse actions,” the VPNpro report said.
- The best VPN services you can get to protect your privacy
- Best antivirus software to keep your PC pristine
- Latest: PS5 ‘taco’ design is totally wild — and also practical
The VPNpro researchers looked at 20 widely used VPN services: Betternet, CyberGhost, ExpressVPN, Hide.me, HMA (Hide My Ass), Hola VPN, Hotspot Shield, IPVanish, Ivacy, NordVPN, Private Internet Access, PrivateVPN, ProtonVPN, PureVPN, TorGuard, TunnelBear, TurboVPN, SurfShark, VyprVPN and Windscribe.
Fourteen of the VPN services had no issues. But it was possible to intercept the client-server communications of six VPN services, including Hotspot Shield and Hide.me, although neither of those two’s software actually connected to VPNpro’s proof-of-concept malicious server.
Four of the services’ client software did connect to VPNpro’s malicious server. Two of those, CyberGhost and TorGuard, did not download the malicious software update VPNpro had put there.
Betternet and PrivateVPN both did, though. The Betternet client software did not automatically install the malicious update, but prompted the user to do so. (Most users probably would click “OK” without hesitation.) The PrivateVPN client installed the update automatically.
The real-world implications
The attacks described are not purely academic or confined to a lab setting.
“Imagine you’re sitting in a cafe or at the airport and connect to the free Wi-Fi,” VPNpro said in its report. “You make sure to connect to a VPN before going online. Then, you get a notification on your VPN tool to install a recent update.
“Of course, you do, because it’s important to keep your software up-to-date,” VPNpro said, then added that doing so could install ransomware, spyware or practically any kind of malware on your computer.
You can avoid such attacks, VPNpro said, by making sure to never download any software updates from an untrusted or open Wi-Fi network. It’s all too easy for pranksters and criminals to set up malicious Wi-Fi hotspots with innocuous names like “Starbucks Wi-Fi” or “AT&T Free Hotspot.”
And, of course, you can avoid most malware attacks, no matter how they arrive on your computer, by running one of the best antivirus programs.
Update from VPNpro
After getting blowback from some of the VPN providers who fell into the “intercepted” but not totally hacked category, VPNpro added these paragraphs to its initial report.
If a VPN has a “Yes” for the question “Can we intercept the connection?,” this means that the VPN software had no additional certificate pinning or similar procedures in place that would prevent us from intercepting the communication with the update network requests. We were able to intercept the connection for 6 of the VPNs, while 14 had the proper certificate pinning in place.
In general, some readers mistakenly assumed that “intercepting communications” meant that we were intercepting the communications between the user and VPN server, but in reality our research is about updates and the client endpoints, and not about touching the VPN connection.
If a VPN has a “Yes” for the question “Did it connect while being intercepted?,” this means that the VPN software established a connection to VPN server while being on a malicious connection. If the answer is “No.” it didn’t connect. In our tests, 4 of the top 20 VPNs established this connection, while 16 of the VPNs did not connect.
However, because our POC was based on pushing a fake update through the app, and since those VPNs (CyberGhost, Hotspot Shield, Hide Me and TorGuard) didn’t accept it, we didn’t consider this as a vulnerability.