Can a VPN be hacked, and if not, why isn’t this technology a silver bullet again hacking? Can you explain to me in basic terms or analogies?
A VPN is an encrypted tunnel between your computer and some other network. Can it be hacked? It depends on what you mean by “it.” Your computer can be compromised, which renders a VPN connection moot since it protects data only when it transit. Your password or private key for the VPN can be stolen. The remote network that the VPN connects to can be operated by bad guys. Some badly-configured node on the remote network can be compromised and used to sniff traffic after it’s been decrypted.
A VPN is one tool out of many for dealing with potential security threats. There’s nothing magical about it.
Rather than sending out my address all over the web, I send out some anonymous address from Chicago, or tel Aviv that thousands of others are also sending their anonymyzed addresses out from. You do need to be careful in choosing a vpn service, as they keep varying amounts of info on your wanderings. Far from all vpn providers are reputable, so it pays to do a little research. Remember the old saw, if it is free, YOU are the product.
Also note that a VPN’s security is no better than the encryption algorithm chosen (and may be worse). Mathematically, it is possible to create algorithms that would take an NSA-level supercomputer millions of years to decrypt, but in practice decisions have to be made balancing speed and secrecy, and it is possible that some of the common algorithms have “back doors” or deliberate weaknesses. For example, it came out recently that the CIA owns an encryption company (jointly with their German counterpart).
In fiction, I’ve read that multiple VPNs could be used in a chain to add additional difficulty (usually to NSA, CIA, etc.) in tracking the source of the data. Is that purely fiction?
This sounds like a variant of “onion/garlic/mix routing”, which is supposed to increase your security under certain assumptions. For instance, maybe at least one VPN in your chain is a mysterious black box where the internal network traffic is opaque to the attacker.
To add to what others have said, a VPN protects your privacy, not your security from threats like malware. It makes it really difficult for someone to intercept your communications or to pinpoint your physical location, but a VPN by itself doesn’t block malware or other attacks
Also note that there are anonymizing VPNs (which we’re talking about here) and corporate VPNs, which allow remote users to connect to a central network.(like allowing distributed employees to connect to the HQ network). The technology is pretty much the same. but the use case is different.
This brings us back to the important questions: “how badly do they want to know, how much resources do they have, and what starting guesses do they have?”
Since way back when, the warning has always been that communications can be listened to and decrypted. However, I have yet to hear of any significant hacks using information passing through the outside networks, unless it’s some group with unlimited resources like the NSA. For Joe Hacker, it’s a lot easier to get established inside either the source or the destination.
A VPN is like a second router. If you have several computers behind your home router and surf normally, it is difficult for someone at the other end to tell which computer is which on the web - they all come from the same IP address. (OK, they can tell from things like which version of browser you use, cookies they stuck there earlier, what version of Java, etc.) With a VPN, you send your data packets to the VPN company, and it sends them out on the web using it’s address in New York or London or wherever. Plus, you are combined with thousands of others using the same VPN, so it’s harder to sort them out.
The HTTPS and similar encrypted protocols need a critical data and/or some clever tricks and are supposedly hack-proof to the typical hacker. (I have yet to hear of anyone successfully faking certificates even) Typically, these protocols can be hacked because there’s a flaw, and upgrades fix the flaws.
If you are the NSA, then you can (maybe) monitor a VPN’s complete input and output and match things up - when a flow come from Joe’s home address to the VPN in-point in Berkley, a similar volume of data comes out the VPN endpoint in Seattle. Since all data starts with source and end IP’s, now they got you. Or they could be watching you and determine which VPN in-point you send to and start watching the out-points. Again, all this mixed up with thousands of others using the same service, so not a slam-dunk.
The other protection is that possibly, your home router has a flaw that lets hackers in - since although theoretically secure most are bought off the shelf, and sometimes not even password is updated, let alone firmware. (Less likely when router is also the cable or phone companies’ modem - they can do their own updates remotely.) VPN companies we hope have more powerful up to date firewalls; and don’t pass unsolicited traffic to your router, don’t tell strange websites your home IP address, and most likely are filtering for known hacks.
A VPN is a useful extra layer when protecting remote access. It is also useful when you are accessing the internet through dodgy WiFi (anything you don’t own or know the owner of). Or If you do not trust your ISP. Or if you use P2P stuff and live somewhere with draconian copyright enforcement.
For a “normal” user accessing the internet from home a VPN is an extra single point of failure. (I trust my ISP more than most VPN providers)
So: VPNs are imminently useful, if your application requires one. For most people they are unnecessary and do not add “security”.
Except when your ISP is not trustworthy. For example, I do not trust my mobile provider, AT&T, due to their past use of things like supercookies, that attempt to track all data use across multiple sites. Sure, they still know where my phone is, and how much data I use, but because of my VPN, they do not know what I’m doing with that data. (All of the major mobile providers have done stuff like this, and due to other circumstances AT&T is very inexpensive for me, so switching providers will not change my privacy/security situation, but will cost me more money.)
The primary residential ISP in my area is Comcast, and Comcast residential intercepts standard port 53 DNS requests, regardless of where they’re sent, and replies to the requests themselves. I prefer to use a custom DNS for ad blocking purposes, which is not possible on Comcast residential (at least in my area). Therefore I use a VPN when I’m on a Comcast residential connection.
I will soon by hosting a conference at a hotel that uses nanny filters on their guest internet. Because such filters have errors, they have in the past blocked legitimate sites we wanted to access, such as European universities. To route around that, I may run all the data from my network at the conference through my work’s non-filtered VPN.
VPN stands for Virtual Private Network. It’s a “virtual” private network because the network traffic is carried across a public network, or at least a network that contains machines other than the two communicating computers. To prevent other computers from eavesdropping on the communication, the communication is encrypted. It’s like two people having a conversation in a coffee shop by speaking in code; everyone else in the coffee shop can hear the sounds of the conversation, but nobody but the two code-speakers know what the conversation means.
Properly-implemented VPN prevents eavesdropping and modification of the network traffic by unauthorized parties. It does not prevent other attack vectors.
The NSA recently announced a flaw in Microsoft’s validation of ECC Cryptography that allowed one to spoof certificates that Windows systems would accept (“D’oh”). The vulnerability was patched on January 14, 2020. Not a problem with ECC itself of course, rather Microsoft’s implementation of it.
Ah yes, the other important use-case for a VPN is “you live in the USA”.
What’s the best VPN to use?
Moderator Note
That’s probably better asked in a separate thread in IMHO.
I recall some click-bait headlines this week about Iran hacking companies’ VPNs.
I have been to several websites which reject a VPN connection. They give you something equivalent to a 404, or simply do not respond. Turn off the VPN you’re using and you connect perfectly. Do these websites have a list of VPN networks? How do they know one is connecting with a VPN?
They likely do. And they know by using a list of VPN IP addresses, which are compiled in various ways. The most obvious is just to use the VPN yourself and see which IPs it uses.
That said, my experience is that most sites don’t block everything. There’s nothing bad about being anonymous and merely reading information. The problem is in logging in using a VPN. And, even then, they may be more concerned with creating new accounts via VPN, rather than someone just using a VPN.
I honestly can’t think of a good reason to block read access to a site if you use a VPN, other than just lazily blocking everything to stop logins/sign ups.
I would expect that it would depend on which countries and businesses you bounce through. If the US has a good relationship with a country then they might have a deal to issue warrants on the part of the US, or if a company has business in the US, then they might be willing to respond to a warrant for information on what happened in some distant land.
The quality of logs and the duration of those logs being stored would also matter.
Plausibly the NSA has hacked into a variety of telecommunications businesses around the world and are constantly synchronizing their logs and don’t need to issue any warrants.
If you use big, established companies in modern countries, the logs will be better and sit around longer. The US might have very expansive deals for data sharing with them. But, on the other hand, they’re going to treat your data and privacy with more respect. They’re going to make sure that your data is 100% secure right up to the moment that they respond to a warrant and be more secure against the NSA.
If you use small, shoddy businesses in 3rd world countries, they’ll be great for you in terms of log duration and legal ease of access to their information. They’ll just thumb their nose at the US or have legitimately lost all the information. But, on the other hand, the NSA is more likely to have hacked into them, their own security will be worse, and they’re more likely to be scanning their own data for nefarious activities so that they can blackmail you.
Basically, you can’t have any good way of knowing what the best path is through the network. But the more layers you add, the greater the odds are that it becomes infeasible for anyone to be able to find their way through to you. Every time they have to do something to resolve one hop in the chain, there’s a chance that it will require some time to accomplish and a greater chance that that time loss will allow the logs to be purged for space so that, eventually, the path can’t be reconstructed.
But, at that level, your network connection will be so slow and spotty that it might be infeasible for you to do much unless you’re willing to spend a few hours trying to load and reload pages to finally get a message through to your drug dealer, successfully.
You’ll now, probably, have a secure network but then you run into the problem that everything in security has which is that once you make one thing secure, everyone simply circumvents it. If you add the world’s strongest and most pick-lock resistant lock ever invented to your door, the bad guy will simply unscrew the hinges or use a crowbar to strip the screws.
If you evade the NSA, you now have to deal with the problem that the FBI might be watching your drug dealer and tracking every package he sends through the post. 99% of drug dealers on the web might, in fact, simply be FBI agents looking for marks.
My personal recommendation would be that if you want to stay out of jail: Don’t do crime.
No need to bring criminality into it.
Several companies (mine included) require the use of a VPN to help protect company information and the information of our clients.
And while it would not be necessary in my case, even the source of information can sometimes be considered privileged information. Even if that’s the NSA/CIA/whoever (as long as they don’t have a proper warrant). And non-US groups acting legally would have no reason to particularly want the NSA snooping on their communications.
In any event, always attack the weak link. That’s usually the end users. Social engineering is probably the most effective way to circumvent security, which is how the 419 scammers continue to do so well.
A VPN should make it harder (hopefully prohibitively so) for others to read our data, but as mentioned above whether or not somebody can tell you are downloading malware doesn’t offer any protection from the malware itself.