Last week Jan Youngren from VPNpro wrote about several vulnerabilities his team found in the client software of various VPN service providers. He didn’t investigate the protocols used for VPNs but looked at the rest of the software, like how they setup connections and install updates. Many VPN clients have a mechanism to connect back to the provider and retrieve updates directly to the VPN software. The researchers found that in some cases, the VPN software doesn’t properly verify the source of the update before downloading and executing it. As a secure VPN provider, they should ensure the highest level of security.
Of the 20 VPNs tested, six VPN providers don’t use certificate pinning. Certificate pinning ensures that only a specific server certificate trusted by the application itself will create a secure connection. This prevents a malicious certificate from affecting the connection. That said, Recent vulnerabilities found in certificate pinning make these certificates no more secure than normal certificate usage if an attacker already has access to the client. If an adversary has access to your device then they have already bypassed your VPN security. I don’t believe VPN providers must use certificate pinning for the updates and VPNpro agrees. But if a 3rd party certificate installs on your computer then the certificate owner could intercept the connections from TorGuard, CyberGhost, Hotspot Shield, and Hide Me as well as the vulnerable PrivateVPN and Betternet.
Jan found that not only could he intercept the management connections for PrivateVPN and Betternet without a trusted certificate, but he could trick both clients into downloading malicious updates from his server. He didn’t go into detail on how they performed the test, but they could have redirected an HTTPS request to HTTP or even a DNS request to his fake malicious servers. After downloading, Betternet asks the user to confirm before installing the malicious update. PrivateVPN doesn’t asks the user and automatically installed the fake malicious update. The vulnerability allows access to the VPN’s update communication where an adversary could add malware. For both VPNs the victim’s computer becomes more vulnerable by having the VPN software installed than without it.
PrivateVPN and Betternet corrected this vulnerability by properly checking the source of updates. If you use these VPNs, ensure you have the latest update by downloading over a trusted connection. Also, a VPN doesn’t automatically secure your connection to the Internet. The client software and server vulnerabilities can still create havoc for its users. Always check your server connection and if a secure connection fails stay away and come back when it works again.