U.S. Senators Ron Wyden and Marco Rubio have sent an urgent plea to new Cybersecurity and Infrastructure Security Agency (CISA), Christopher Krebs to launch an investigation into foreign-owned virtual private networks to assess whether they represent a national security threat to government.
Justin Jett, Director of Audit and Compliance at Plixer:
“Apps developed by foreign companies should be seen as risky, especially as it relates to government agencies and their employees. Because the traffic may be routed to foreign servers, it could be very difficult to subpoena the data or to understand who has access to the data. Additionally, because apps installed on mobile devices often install “profiles” that include root certificates, the apps could be written to man-in-the-middle HTTPS traffic by using TLS decryption. This happens when the app does the HTTPS handshake instead of the user’s browser. When this happens, the user’s entire interaction, including login details, is visible to the app’s developers. Government agencies and enterprises should use network traffic analytics on their networks so they can understand which, and how many, devices are using VPN services that communicate to a foreign entity. Since the VPN will route all traffic to a single location, these devices will be fairly easy to detect because they will have a single communication for all of their network traffic. Furthermore, agencies and enterprises that provide devices to employees should strongly consider policies that prevent users from installing these types of applications. Sensitive information could easily be accessed if employees aren’t careful where they send their traffic.”