Insecure VPNs: Top risks and symptoms that stronger security is needed

Virtual private networks, or VPNs, were created to provide a secure tunnel in which user activity can be carried out in privacy. In this way, VPNs have been utilized by individual users, as well as to support business processes for several years, and their use is only growing.

According to current statistics, nearly 25 percent of all users have leveraged a VPN for some type of online activity within the last month. This includes 17 percent who access a VPN through their desktop, 15 percent who use a mobile smartphone and 7 percent who connect with the private network through a tablet. Those that do utilize VPNs are also leveraging these networks more frequently than ever before – 35 percent of those that access a VPN through their desktop do so on a daily basis.

While users hope and expect that VPNs will live up to their name and truly support a virtual and private connection, research shows that this is not always the case.

How does a VPN work?

As ZDNet contributor Steven J. Vaughan-Nichols explained, traditional VPNs leverage a combination of security techniques – including robust encryption, IP security, Layer 2 Tunneling Protocol, as well as Secure Sockets Layer (SSL) and Transport Layer Security (TLS). Bringing these technologies together, a VPN can then provide a “virtual encrypted ‘tunnel,’” between end-user devices and the VPN server, supporting security and providing a shield against prying eyes or unauthorized access.

“Worried about your ISP snooping on you? Is someone on your coffee shop’s Wi-FI looking [over] your network shoulder? Or, is Joe A. Hacker bugging your internet?” Vaughan-Nichols wrote. “A virtual private network (VPN) can help protect your privacy.”

This promise of privacy and security has made VPNs a popular option for individual users, as well as enterprise employees. Particularly in cases where remote employees must be able to securely access company infrastructure platforms and applications, a VPN can offer an encrypted and protected path for access and user activity.

In order to leverage a VPN, users must either set up a VPN server themselves – a time-consuming and complex process – or make use of one of the many VPN services available today. However, as Trend Micro researchers discovered, not all of these solutions make good on VPN’s main tenets of privacy, security and encryption.

A malware-infected VPN can create security issues for your connection.

When is a VPN not secure?

There are several scenarios which can result in unsecure VPNs, which fail to provide a protected and anonymous user connection:

Malware infection

Rather obviously, a VPN that is infected with malware puts the security and privacy of the connection in jeopardy. In some cases, VPNs are infected after the fact. However, one study of more than 200 VPN apps within the Google Play Store discovered that malware can also come as part of the package – more than one-third of the VPN apps studied by researchers contained malware that included the capability to track users’ online activity, directly contradicting the purpose of a VPN.

As Vaughan-Nichols noted, this issue is more common than some might assume.

“There’s one fundamental concern with VPN services: Can you trust them not to track you?” Vaughan-Nichols wrote. “Some VPNs keep records of where you go on the net. If privacy is a real concern for you, check your VPN’s terms and policies to see if they keep logs of your online activities. If they do, look for another VPN.”

Lack of proper security

In other cases, it’s not malware that presents the issue, but insufficient security techniques. VPNs in this category don’t include the type of robust encryption or other protection technologies that enable the creation of a secure and private connection.

What an insecure VPN looks like: Real-world case

Researchers have also found instances where VPNs simply leak user information, including sensitive data like IP addresses. Such was the case with the popular service, HolaVPN by Hola Networks Ltd. This network service not only exposed users’ IP addresses through their individual web browsers, but also stole user bandwidth, further complicating the security issues associated with it.

As CNET contributor Claire Reilly explained, Hola was not transparent with users about its peer-to-peer VPN operation, which could enable users to browse through other users’ internet connections. Experts urged users to avoid the platform, calling its operations similar to that of a “poorly secured botnet.”

“Hola’s VPN service features ‘vulnerabilities’ which allows third parties to execute code on a user’s system, track them online and ultimately ‘take over your entire computer, without you even knowing,’” Reilly wrote.

The case of HolaVPN is a staunch example of the issues that can emerge with an insecure VPN. Current data shows that Hola Networks’ is being utilized by 8 million Google Chrome extension users.

What an insecure VPN means for enterprise security

While the consequences of using a substandard VPN may be dangerous for the individual user, these issues are only compounded in an enterprise setting.

As Trend Micro researchers noted, if an end user is leveraging an insecure VPN as part of their professional, corporate work, this connection could put the entire enterprise at risk of compromise.

“HolaVPN could enable attackers to circumvent corporate firewalls and allow them to explore the internal network of a company for nefarious purposes,” our Trend Micro researchers explained.

What’s more, cybercriminals could also utilize VPN vulnerabilities to carry out malicious, dangerous and even illegal activities, which then appear to be stemming from a VPN user’s device.

Selecting the right VPN

These vulnerabilities and security issues connected with certain VPNs does not mean that organizations must abandon the practice of using them. As Trend Micro noted in our recent white paper, “Illuminating HolaVPN and the Dangers It Poses,” it’s imperative to stay away from VPNs that are known to be insecure.

When selecting a VPN, it’s important to find a platform that does not track user activity. As noted, reading closely through the VPN’s terms and conditions can help illuminate these practices.

In addition, ConsumerReports recommended finding a VPN provider that includes a large volume of servers within its network infrastructure. TunnelBear, for instance, boasts connection locations in more than 20 countries, and automatically connects users to the closest point. This not only helps bolster security, but can also help enhance performance.

To find out more about the risks that an insecure VPN can pose to your organization, check out the research in our white paper, and connect with our Trend Micro security experts today.