How secure is a VPN?

Many people use a Virtual Private Network (VPN), either to access their employer’s network, or for personal reasons. But In this article we’ll discuss VPN security and explore the question of whether a VPN can be hacked. But first we’ll look some VPN basics: what is it, why use it, and what’s the technology behind VPNs.

What is a VPN?

A private network is, as the name implies, a network that is private, not open to the public. Most businesses, educational institutions, government organizations and many larger non-profits have an internal local network, including a server that hosts their own data and/or applications.

A VPN allows a user who is working at a different location to access a local network using the physical connection of the public network (internet). Using a virtual, private, and secure communications channel, a remote user is connected to the local network and has access to the resources on that local network.

VPNs can either be site-to-site, allowing an organization to connect two separate networks, as for a corporate headquarters and branch offices or remote access, used by individuals to connect to a corporate network. In this article we’ll focus on remote access applications of VPNs.

Why Use a VPN?

VPNs can be used for either work or personal purposes. Common uses for VPNs are:

1. Accessing a corporate or other organizational network
2. Improved security
3. Circumventing censorship
4. Keeping browsing habits secret
5. Cloaking the user’s location

Accessing a corporate or organizational local network

The original purpose of VPNs – that is, the business case for which they were developed — was to allow people to access a corporate or other organization’s network from a remote location. This remains one of the most common applications for which people use VPNs today. Since VPNs are always encrypted, accessing the internet through a VPN adds an additional layer of security to any communications conducted over that link.  While VPNs have been used for decades, during the course of the coronavirus pandemic that started in the spring of 2019, many more people started working from home, and the most common way for those workers to access the IT resources they needed was by way of a VPN. With the help of a VPN such users can access everything on the network, just as if they were inside the facility.

Uses for VPN Services

As with many technologies that were initially developed for business purposes, VPNs have been put to many uses – and misuses – by private individuals. In response to this demand, companies provide VPN service that allow the public to take advantage of certain features enabled when connecting to the internet through a VPN. According to one estimate, 30% of internet users around the world use a VPN service. The percentage is higher in Asia, Africa, and the Middle East.

Internet censorship is a huge issue in many areas of the world. A 2018 survey of 65 countries found that 31% – 20 countries – had a high degree of internet censorship. Most of the countries that heavily censor internet use are in the Middle East or Asia, and include China, Iran, Russia, and Saudi Arabia. If residents of a country with heavy censorship want to bypass those controls, they can access the internet using a VPN service. The VPN service will typically route their internet access via a free country, such as the US or UK, and since the connection back to the user is encrypted, the national government where the user resides has no ability to censor that traffic or those websites. China has made it illegal for its citizens to use an unapproved VPN as a method to circumvent “the great firewall” that the country has built to control internet access.

Using a VPN to access the internet also means that the specific websites a user accesses are hidden from the user’s local Internet Service Provider (ISP). This can be important for the same people accessing censored sites – they don’t want the local authorities to know their surfing habits. This is also a desirable feature for people who value their privacy and don’t want other people to know their browsing habits.

An increasingly common use for VPN services is to allow users to appear as if they are in a different country, to foil georeference-based limitations. Because of different copyright laws and licensing agreements, streaming services such as Netflix may not be available in all countries, and in many cases, they will offer different movies or TV shows in country A than in country B. Many VPN services have internet Points of Presence in different cities and different countries, allowing users to choose which VPN server they wish to use to access the internet. In this way, a user can appear to be in a different country as a way of circumventing IP-based georeferencing blocks. There’s a bit of a cat and mouse game between VPN services and streaming services around this usage case: the streaming services block IP addresses known to be associated with VPNs, and the VPN service providers look for ways to keep changing their IP addresses to get around those blocks and protect their business.

The Technology Behind VPNs

There is no single VPN technology: rather, different VPN variations are available. In this article we consider common VPN technologies and a number of the most-found variations.

All VPNs establish a “tunnel” — the encrypted connection through which the end device (typically a computer, tablet, or smartphone) communicates with the network.

Before a VPN tunnel can be established, the user needs to be authenticated to ascertain that they are who they claim to be. Authentication can be done using passwords, multi-factor authentication, biometrics, or other techniques. The selection of authentication protocol is independent of the tunneling protocol.

Tunneling Protocols

There are a variety of technologies and protocols that can be used to establish and maintain the VPN tunnel. Some of the most common include:

• PPTP (Point-to-Point Tunneling Protocol). PTTP is sort of the “granddaddy” of VPN protocols, going back to Windows 95. It has known security flaws – so it’s better avoided – yet it’s still in use because it’s built-in to Windows, Linux, and macOS, making it easy to use.
• L2TP/IPSec (Layer Two Tunneling Protocol/Internet Protocol Security). L2TP is newer than PPTP. Unlike PPTP it does not have encryption built-in – instead it uses IPSec for encryption. IPSec uses 256-bit encryption, unlike PPTP’s 128-bit encryption. Compared to PPTP, L2TP/IPSec uses more overhead and can be more complicated to configure, but is also generally considered more secure.
• SSTP (Secure Socket Tunneling Protocol). SSTP is a proprietary Microsoft protocol, available on Windows that runs PPP (Point-to-Point protocol) or L2TP through an SSL/TLS channel.
• Open VPN. Similar to SSTP, Open VPN runs on SSL/TLS, but it’s open source. Since SSL is built-in to every modern web browser, Open VPN can be implemented in a way that’s “clientless,” meaning users don’t have to install any special software on their device. Being open source, it’s inherently more vulnerable to hacking than proprietary technologies such as SSTP.
• IKEv2 (Internet Key Exchange version 2). IKEv2 is a newer protocol based on IPSec developed by Microsoft and Cisco.

Here are the pros and cons of these different tunneling protocols:

• PPTP: Easy to install, but not very secure. Not recommended.
• L2TP/IPSec: Easy to setup, available on almost all types of devices, good security. May have slower performance than other protocols and can be blocked by firewalls.
• SSTP: Good security, supports different types of encryption, easy to use. Works best on Windows.
• Open VPN: Good security, supports different types of encryption, highly customizable. Based on SSL, there are ways to implement it without a VPN client on the remote end. It’s complex and hard to setup, requires third-party software. Mobile implementations may not be as secure.
• IKEv2: Good security, supports different types of encryption, fast, reliable connections, easy to setup. Not supported by all platforms, and since it’s based on IPSec has some of the same issues.

Some VPN service providers will let you choose which protocol to use to connect to their VPN, since some will work better with some setups than others.

Encryption

The tunneling protocol is the methodology used to setup the connection. Encryption is the way that the actual data and commands going over that connection is kept secure.  All digital information is transmitted as a stream of ones and zeroes. Encryption uses a “key” to scramble the ones and zeroes. Without the key, you have no way to decode the information and know what’s there.

There are two different types of keys: symmetric and asymmetric. With symmetric key encryption, both the sender and the receiver use the same key.  Asymmetric key encryption is also known as “public key cryptography.” With asymmetric key cryptography, different keys that are mathematically related are used to encrypt and decrypt the message. The public key is used for encrypting messages and the private key for decrypting.

Asymmetric encryption is generally considered more secure than symmetric encryption. Symmetric encryption is much faster than asymmetric encryption because it’s much simpler mathematically. Since asymmetric encryption uses a different key for decryption than for encryption it takes a lot more processing.

VPNs take advantage of the best features of both: they use asymmetric encryption to create a secure connection; symmetric keys can then be safely shared through that connection and can be used for the actual transmission of data. That first step is known as a “VPN handshake.” There are a couple of different algorithms that can be used for the VPN handshake, the most common being RSA (Rivest-Shamir-Adleman) and Perfect Forward Secrecy. Perfect Forward Secrecy is considered to be more secure. RSA comes in different grades; 1024 was cracked by NASA in 2010, if using RSA use RSA-2048 at a minimum.

The most common encryption algorithms used by commercial VPN providers are AES and Blowfish. Both use symmetric key encryption. Blowfish has known vulnerabilities and is not considered as secure as AES. AES is typically available with either 128-bit or 256-bit key lengths. The longer key is much more secure and will sometimes be advertised VPN providers as “military grade encryption.” AES was established by the US National Institute of Standards and Technology (NIST), which has led some people to speculate that the NSA has a “backdoor” into AES, although none has ever been found.

How Can a VPN be Hacked?

There is no such thing as a perfectly secure online connection. Some, however, are better than others. Here are seven different ways that your VPN connection could be compromised:

1. Crack the VPN’s encryption. Hackers could use a powerful computer to try and break the VPN’s encryption. In reality, this is rare because it takes a LOT of computing power. However, as computing power has gotten cheaper, older encryption algorithms with shorter keys are more vulnerable. This is why you should prefer AES over Blowfish and 256-bit keys over 128-bit keys.
2. Steal the keys. Why break down the door if you can find the key to the house under a flowerpot? Cyberthieves also prefer to steal the key than to put in the work to crack the encryption. VPNs are usually safe from “man in the middle” attacks, where someone intercepts the traffic, for example from a public WiFi system, because the traffic is encrypted. If a cyberthief broke into a VPN server and found the encryption keys, they would be able to “eavesdrop” on any traffic going by. These attacks can also alter the data sent or direct you to a fake page to steal your login credentials.
3. Exploit vulnerabilities. Software is never perfect, and vulnerabilities that could allow a bad actor to break into a VPN pop up with alarming frequency. Unfortunately, many companies fail to take the proper precautions, and are insufficiently vigilant about installing software patches that fix these vulnerabilities. VPN vulnerabilities were responsible for 15% of the ransomware attacks in early 2020.
4. Infected end points. Malware on a remote computer could be uploaded to the network via the VPN, allowing compromise of the network.
5. Split tunneling. This is a more vulnerable configuration of SSL VPNs. If the remote device is simultaneously running network traffic to both the private network and the public network without having all traffic go through the VPN tunnel, attackers on the shared network can compromise the remote computer.
6. Compromised credentials. If a corporate VPN relies solely on passwords to authenticate users, it could be vulnerable to if those login credentials are compromised. Users all too often choose easy to remember (and thus easily cracked) passwords or they reuse passwords. Reusing passwords is risky, because if one site gets hacked and passwords are compromised, those same passwords can be used by hackers to try and access other things, such as VPNs. Credentials can also be stolen through phishing attacks. It’s good practice to require two-factor authentication to a corporate VPN to make it harder for cyberthieves to get in.
7. IP and DNS leaks. This isn’t exactly hacking – but it’s still a failure of poorly configured VPNs. As mentioned above, many people use a VPN because they want to avoid censors or the authorities. In an IP leak, a user’s real IP address (and physical location) will be exposed. With a DNS leak, other people can see a user’s DNS requests, and know what websites a user is visiting.

VPN Security Track Record

The core VPN technology is largely secure. The encryption methods and techniques protect almost all VPNs from being broken into or decrypted through brute force methods.

That being said, a VPN connection is only as secure as the people implementing it make it. As mentioned above, 15% of ransomware attacks in 2020 came through VPN vulnerabilities – which in the vast majority of cases are hackers exploiting known vulnerabilities before a network administrator gets around to installing the software patch that address it.  Users can be vulnerable to phishing attacks that steal VPN credentials, and they can click on malware that uses the VPN connection to infect a company’s network.

Securing a Corporate VPN

VPNs are a very valuable tool for corporations and other organizations, but it takes concerted effort to keep them safe. Here are some tips for making a corporate VPN more secure:

• Keep all software up to date. Make sure security patches are installed on a timely basis.
• Avoid the PPTP tunneling protocol as it’s more vulnerable than other protocols.
• Avoid using Blowfish for encryption, AES is more secure.
• Don’t use RSA-1024 for the VPN handshake
• Implement two-factor authentication. Passwords alone for authentication are not enough.
• Protect your network from malware with Remote Browser Isolation.
• Sometimes no matter how careful you are, your VPN may be compromised by cyberthieves. Minimize the chances that can happen and mitigate the damage that can be done with Zero Trust Network Access.