Last update: 10.29.2019

Recently, NordVPN admitted that one of its servers in Finland suffered a security breach in early 2018. The issue occurred due to a vulnerability in a remote management system used by the datacenter. In the breach, the attacker stole a NordVPN Transport Layer Security (TLS) key that may be used to impersonate the website or VPN servers, but would not allow to decrypt traffic. The other thing stolen was OpenVPN keys, potentially allowing an attacker to set up servers posing as legitimate NordVPN servers. Similarly to the TLS key, however, the OpenVPN keys could not be used to decrypt data. 

The breach could have exposed users to a “personalized and complicated” man-in-the-middle attack on a single connection trying to access nordvpn.com. This would allow the attacker to see unencrypted traffic. 

To illustrate the complexity of such an attack, here’s a list of steps the attacker would have to take:

  1. Get access to a network or compromise a user’s device, where they can insert themselves between the user and the NordVPN server
  2. Insert themselves between the user and the NordVPN server by using some variant of a spoofing technique, essentially fooling your device that the attacker is the intended recipient of network communications
  3. Impersonate the server using the stolen key

According to NordVPN’s article about the breach, “the key couldn’t possibly have been used to decrypt the VPN traffic of any other server.” Since NordVPN keeps no logs, usernames and passwords wouldn’t have been intercepted either. The company quickly terminated the server when the breach was discovered, limiting the scope of the impact on its users.

It’s at this point we should note that this is one server that was breached from an entire fleet of 3,000+ worldwide (a number that has grown since 2018), a breach that seems to have limited impact.  

But amid all this hullabaloo, another more interesting story is beginning to emerge: a story of one tech publication stoking the fires to make NordVPN’s security incident seem bigger than it is while ignoring similar breaches from TorGuard and Avast Secureline VPN.

The media response

Long before other publications got wind of NordVPN’s security breach, TechCrunch’s Zack Whittaker wrote a searing piece on the impact of the situation based on a thread from Twitter user @hexdefined. While the article that Whittaker writes starts off objectively, it begins to veer quite quickly into speculation, spreading “FUD” – Fear, Uncertainty, Doubt. 

This is done largely with the help of a “senior security researcher” Whittaker claims to have spoken to, one who doesn’t hold back on piling on the fear and thereby elevating a normal story to something Oscar-worthy. 

This unnamed “security researcher” makes the following serious claims:

  • “this is an indication of a full remote compromise”
  • “should be deeply concerning to anyone who uses or promotes these particular services”
  • “Your car was just stolen and taken on a joy ride and you’re quibbling about which buttons were pushed on the radio?”

This entire issue of the anonymous security researcher was disastrously misunderstood by PCGamer, who decided that the security researcher was – somehow – actually “one NordVPN researcher, who declined to be identified.”

Is there anything to the senior researcher’s allegations?

There is ostensibly just one serious claim made by the nameless researcher worth commenting on from a technical perspective. This is the claim that NordVPN’s revelations indicate a localized breach that could have spread throughout the whole network: “[the evidence] is an indication of a full remote compromise of this provider’s systems.”

We have reached out to NordVPN for a comment on this claim. According to representatives at the company, this could not possibly be true:

“Our infrastructure is built in such a way that the breach of a single VPN server will always be isolated to that particular server. It is impossible to reach any other part of our core infrastructure (databases, the web, or other VPN servers) from a single VPN server. The NordVPN infrastructure doesn’t “trust” our VPN servers and was designed this way from the very early days of NordVPN.”

It is unclear what the allegation presented in the TechCrunch article is based on, but there’s next to no actual substance behind it – rather, it seems to serve as an instrument to attract more attention to the story.

NordVPN takes action to become more secure

NordVPN has announced a five-point plan to strengthen its security in multiple ways, starting from the infrastructure and code, and finishing with its teams and partners. Speaking of partners, there’s already a new one that should prove beneficial right away:

  • NordVPN has signed a strategic partnership with VerSprite – a top cybersecurity consulting company that should help with vulnerability management, penetration testing, compliance management and assessment services.
  • Furthermore, a bug bounty program is to be introduced in the upcoming weeks. This means that any security enthusiast from around the world can get a payout for exposing any vulnerabilities to NordVPN developers.
  • A third point in the plan is a full-scale independent audit, planned for next year. It will involve infrastructure hardware, VPN software, backend architecture, backend source code, and internal procedures.
  • Next, NordVPN is aiming at building a network of collocated servers. Even though they’ll be located in the data center, they will be owned by the company, which eliminates the possibility of third-party vulnerabilities.
  • Finally, the whole infrastructure will be upgraded to diskless servers running on RAM, meaning that there will be no locally stored information save for NordVPN’s secure central infrastructure. Seizing such a server will do the wrong-doers no good because they won’t find any data on it.

As we can see, NordVPN is pretty serious about maintaining its status as the safest VPN. Even more, after implementing this plan, they will be leaving most of the competitors years behind.

Bottom line

One final thing to note on this topic is that TechCrunch, where much of the escalation to this story originated, may not be entirely unbiased – something that was not disclosed in the article. The website is owned by Verizon, which operates a VPN service of its own called Safe Wi-Fi. Secondly, the ISP has been instrumental in the push to repeal net neutrality in the US – something VPN services can help get around.

In reality, the NordVPN server breach, while unfortunate, seems to be limited, and the company seems to have taken the necessary precautions to stop such events from happening in the future.