When they first appeared, VPNs seemed to be a game-changer for internet users. By encrypting personal data and routing it through servers around the world, these apps could free individuals from the fear of hacking – both from criminals and official agencies.

That was the dream, in any case. But, as the Snowden revelations proved, many Virtual Private Networks (VPNs) possess fatal vulnerabilities, putting them at risk from all kinds of attackers.

In this article, we’ll take a look at VPN hacking, and ask whether it is as worrying as Snowden suggests, or whether there are reasons to be optimistic. We’ll look at how hackers might compromise VPNs, and how to choose a provider that minimizes your personal risks.

Can a VPN be hacked?

When you subscribe to a VPN, the “private” part tends to be foremost in your mind. The whole reason for purchasing paid encryption and anonymization is to keep you safe from hackers and surveillance. But what if you’ve been ripped off, and the VPN you hoped would protect you, is actually riddled with flaws?

While most providers are sound, there are plenty of instances of companies which fail to deliver uncrackable encryption and watertight leak protection. In those cases, hacking is always a possibility.

But the risks aren’t limited to poor-quality providers. Even VPNs with excellent 256-bit AES encryption and OpenVPN protocols can be hacked with a little technological trickery. This was part of the Snowden revelations, which revealed that the NSA was using interception techniques to capture encrypted traffic.

This traffic would then be used as the basis for decryption processes which often managed to create usable VPN keys.

So it’s worth looking in more detail about what makes Virtual Private Networks vulnerable, whether it’s a pressing concern for everyday users, and what you can do to remain secure.

Some key VPN vulnerabilities, and why they matter

Firstly, what are the weak points of a VPN? Hackers could potentially target a number of aspects of any provider, including:

  • Encryption – It’s becoming rare for VPNs to offer encryption based on older techniques like 128-bit AES ciphers, but it does still happen. If a provider doesn’t clearly state that it uses 256-bit “military-grade” AES encryption, then the cipher it uses is most likely crackable, given enough computing power.
  • Protocols – If data isn’t “wrapped up” properly in the VPN tunnel, hackers can “unwrap” it fairly easily. Again, older standards offer weaker security here (such as PPTP). But OpenVPN-based protocols tend to be fairly tough to hack. However, even then hackers are constantly looking for loopholes, such as the VORACLE vulnerability, isolated in 2018.
  • Servers – All VPN data must be passed through banks of servers, where it is decrypted and sent on to its destination. But what if these servers were compromised? How would you know? Some providers rent all of their servers and even outsource maintenance to third parties. Others rent servers, but maintain them themselves. And some own all of their infrastructure. Generally speaking, that’s a much more secure solution.
  • Apps – Normally, users will need a client of some form to connect with Virtual Private Networks, and this app can present its own hacking risks. For example, plenty of security apps available on Google Play have been flagged as malware conduits – especially the free versions. This malware can then seed itself on your smartphone or desktop, sending valuable data to hackers.

You might also add the risk of VPN companies actually being criminal enterprises in their own right. This could stretch from selling user data illegally to their marketing partners, or actively spreading ransomware. It does happen, but it’s fortunately quite rare. Still, it’s something users need to be aware of.

How hackers can bypass your encryption

The most important hacking risk is based around encryption. Encryption is what makes a VPN what it is. It scrambles plain text, using secret keys to create a cipher that only VPNs and their users can decode. If it’s compromised, then the whole service is pointless. But how easy is it to actually compromise a Virtual Private Network’s encryption systems?

Thankfully, the basic answer is: not very.

If we assume that a provider is relying on 2048-bit encryption (which is the industry standard right now), current computing technology would be able to crack the cipher in around 6.4 quadrillion years – at least according to online security experts DigiCert.

But what if the hackers had a head start, allowing them to guess the key more quickly? That seems to be the way the NSA targeted VPNs, and it can make the decryption process much, much faster.

We know that the NSA prized open Virtual Private Networks used by foreign organizations like Al Jazeera and Iran Air. And the Agency also set up a special body called “VPN SIGINT Development” to build its capabilities in that area.

However, we don’t know what techniques the Agency has used. But one thing is likely: it didn’t head straight for the encryption used by Virtual Private Networks.

Apparently, spies used malware dissemination instead, creating a malware agent called “Hammerstein” which was designed specifically to compromise VPN servers. Another agent called “Turbine” was disseminated to individual computers that the NSA wanted to infiltrate.

It’s likely that this malware gave analysts a head-start when decrypting traffic sent over VPNs. And what’s concerning is that the companies involved seem to have had no idea this was happening.

But – before you uninstall all of your security tools and head for the hills, the Intercept reported something more encouraging. According to its team, the NSA had much more success targeting IPSec encryption. AES-based VPNs appear to be off limits, as far as we know.

VPN protection and how to make it more secure

Most of us aren’t likely to be caught up in a Deep State investigation (although it definitely could happen, whether we deserve it or not). Instead, our main security issues will probably relate to criminal groups. And here, the picture is pretty encouraging.

By and large, VPNs do a good job at keeping your data protected from garden-variety hackers. And, more importantly, they tend to make you much safer than you would be without a VPN installed.

256-bit AES encryption, solid IP leak prevention, Double VPN technologies, OpenVPN protocols, in-house server maintenance, and logging policies which actually deliver “zero logs” all add up to a package which blocks off most attackers.

But here’s the thing.

Virtual Private Networks aren’t a monolithic block. In fact, the market is segmented into providers which deliver excellent, reliable, secure services, and operators who have lower standards.

Free VPNs, providers who appear overnight on app download databases, and companies with stunning websites and big claims, but no contact details – all of them should be avoided. These providers are more likely to infect your computer with malware that aids hackers than to prevent your data becoming a target.

As far as official hacking goes, the only thing users can do is select a premium provider with 256-bit AES encryption and a location outside the 14 Eyes network.

The 14 Eyes is an informal (but very active) network of intelligence agencies which tends to include close allies of the United States. So the UK, Canada, Australia, Germany, and France are all included. If a Virtual Private Network is based in the 14 Eyes, it’s likely that the NSA or local intel agencies are aware of its systems and architecture. And there’s a strong chance that it is vulnerable to official surveillance.

Make life harder for hackers by choosing the right VPN

Users have the choice of providers like NordVPN (Panama) or ExpressVPN (the BVI), so why take the risk? By avoiding dubious jurisdictions and selecting a provider with industry-leading encryption, you can minimize the risk of being hacked.

You may not be able to erase it entirely, but in a world where we can’t avoid online activity, that may be the best we can do.

Recommended reads:

NordVPN review

ExpressVPN review