There’s a lot of chatter about VPNs and VPN companies since the NordVPN hack. Our general idea is that VPN companies can’t be entirely trusted and shouldn’t be used as your first line of defense. We wrote about this in our previous blog post, and recommend that you give that a read if you’re interested in the topic.
NordVPN and similar companies have been aggressively advertising on social media, YouTube, and other platforms. Their advertisements have even found their way into sports radio. Unfortunately what they’re selling is mostly snake oil. Their promises of privacy, security and resisting surveillance are misguided. The way they deploy their infrastructure is concerning at the very least.
The main problem is that VPN providers deploy onto untrusted hardware, in bulk and as fast as possible. We’ve seen this first hand in the industry. They buy many servers at a time, have the hosting provider install the OS and hand over the credentials. This transfers trust from the VPN provider, to the hosting provider or datacenter. They don’t install their own OS, use full disk encryption or care about the state of the hardware. They treat servers as disposable money machines with no true regard to the security of the hardware. Remote management BMC firmware is left out of date as well as the BIOS. We understand hardware security is difficult, but it should be attempted.
In NordVPN’s case, they did not even know that the server had remote management. This shows that VPN providers all too often have this mentality, that anything beyond no logs and software doesn’t matter. The idea that they can deploy their software on any hardware and it will remain safe, because it “doesn’t keep logs” is false. This is arguably a bad way to run infrastructure if your product is intended to be privacy and security focused. This also calls into question their competence. Most server grade hardware, whether it be HP, Dell or Supermicro has an on-board BMC allowing remote access to the server (usually via iKVM). NordVPN not knowing or expecting this and then blaming the hosting provider is disappointing.
Behind all the marketing fluff of most VPN providers, there’s insecure and untrusted infrastructure. VPN providers simply want to cram as many users onto a server as they can. At the end of the day, this is all most of the popular ones care about. It’s unfortunate, but there are still some, such as AzireVPN, CryptoStorm and Mullvad who know their stuff. While a VPN should not be the go-to solution. We understand that it’s the easiest way to get around blocks, censorship and local network spies. If you’re looking for a VPN provider that’s the ‘real deal’ we recommend you check them out.