We recently interviewed security engineer Scott Arciszewski, and asked him a few questions about security and weak cryptography issues in popular VPN providers and software. His insights from a technical and practical perspective, he throws light into the rampant ongoing business and marketing, lead by popular VPN providers who falsely claim that their products are offering the most secure solutions, even going as far as quoting their security as “military-grade encryption”(Courtesy of NordVPN)
A hard-coded key is a total game over for this protection. Says, Scott Arciszewski
Together with Scott Arciszewski, we have analysed and unraveled various prospects of (practical) weaknesses and security issues affecting commonly used VPN software like NordVPN. The most important question that pops up is:
Are these VPNs really as safe as they claim to be?.
Key advice from the interview
- Never trust VPN providers, and avoid using them altogether
- As an alternative, consider using WireGuard for supporting critical corporate infrastructure
- For personal privacy and anonymity use Tor
- VPNs don’t offer the safety, privacy or, the level of encryption and anonymity which they commonly claim to. They simply can’t do so, speaking practically. Most of them not being open source makes matters even worse. Hence, their software’s code quality in terms of security is quite understandable, they simply try to hide this aspect.
- Don’t fall for advertising clickbait without further analysing and doing personal research into them.
Read the full interview below:
(Interview gist for authenticity)
According to a recent tweet of yours, NordVPN doesn’t offer the sort of “military-encryption” that it claims to, can you elaborate furthermore on this statement?
(Ref. – https://twitter.com/CiPHPerCoder/status/1044625129278443522?s=20)
The term “military-grade encryption” is vapid; it has no inherent meaning, but it’s meant to trick people into believing the encryption is secure. NordVPN uses this term a lot in their marketing. A quick decompile and stroll through their Android app’s code revealed the snippets I screencapped (mirror) shows that it’s not great.
Why do you think that this kind of mechanism for encryption is vulnerable and not safe for its user base?
This requires breaking down what they’re doing exactly to understand. They’re using AES-CBC, which is the AES block cipher in CBC mode.
In order to use AES-CBC securely:
- Each message should have a distinct initialization vector (IV). It’s very important that these are both never reused and unpredictable. This implies generating them from a cryptographically secure PRNG (
/dev/urandom). A hard-coded IV is unsafe with CBC mode.
- The ciphertext and IV must be covered by an authentication tag. e.g. HMAC-SHA256. Otherwise, you introduce the risk of padding oracles.
A hard-coded key is a total game over for this protection.
To be clear, this is their Secure Preferences storage, local to the device, not the encryption that NordVPN using on the wire. However, given that they copied and pasted it from StackOverflow, it shows that they have a very low quality QA process.
Have you reported about this flaw to NordVPN before public disclosure?
Is this class of security vulnerability affecting multiple VPN providers?
Possibly. I haven’t looked at what other VPN providers are doing, since I don’t use VPNs. I use WireGuard for my company VPN purposes, and Tor when I want to hide my IP address.
How did you manage to RE NordVPN’s software if they have such strict mechanisms in place to resist that?
It was trivial, see the following tweet:
What does it show about VPN software and it’s providers in general? How can one make the wise decision in choosing the right software to guard anonymity?
Don’t use VPN services. They’re typically run by charlatans. If you need a VPN, set one up yourself. Then you can guarantee whatever privacy protections you desire.
Can you tell us a bit more about yourself as well?
I’m an application security and cryptography engineer, mostly known in the PHP community for getting libsodium into the PHP standard library and writing a pure-PHP polyfill of (most of) libsodium.