Hackers can use VPNs to hijack your PC: How to protect yourself

(Paradigm credit: Shutterstock)

UPDATED May xiii, 2020, with description from VPNpro.

Two prominent VPN services could have been hacked through malicious software updated, researchers from news website VPNpro discovered. If you were using one of them, your computer could take been completely hijacked with virtually whatever kind of malware before you realized information technology.

The two VPN services, Betternet and PrivateVPN, take since fixed the flaws. But beforehand, you could accept infected Betternet and PrivateVPN customer software on a Windows PC with fake software updates downloaded in man-in-the-middle attacks, in which the client software would not realize information technology was getting updates from a malicious source instead of the legitimate software-update server.

"Rather than protect their users' data, PrivateVPN and Betternet [had] overlooked a crucial security attribute that allows for malicious actors to steal that data or do fifty-fifty worse actions," the VPNpro report said.

The best VPN services you lot tin can get to protect your privacy
Best antivirus software to keep your PC pristine
Latest: PS5 'taco' blueprint is totally wild — and also practical

The VPNpro researchers looked at twenty widely used VPN services: Betternet, CyberGhost, ExpressVPN, Hide.me, HMA (Hide My Ass), Hola VPN, Hotspot Shield, IPVanish, Ivacy, NordVPN, Private Internet Access, PrivateVPN, ProtonVPN, PureVPN, TorGuard, TunnelBear, TurboVPN, SurfShark, VyprVPN and Windscribe.

Fourteen of the VPN services had no issues. But it was possible to intercept the customer-server communications of vi VPN services, including Hotspot Shield and Hide.me, although neither of those two's software actually connected to VPNpro's proof-of-concept malicious server.

Four of the services' customer software did connect to VPNpro's malicious server. Two of those, CyberGhost and TorGuard, did not download the malicious software update VPNpro had put there.

Betternet and PrivateVPN both did, though. The Betternet client software did not automatically install the malicious update, but prompted the user to practice and then. (Most users probably would click "OK" without hesitation.) The PrivateVPN client installed the update automatically.

The real-world implications

The attacks described are non purely bookish or confined to a lab setting.

"Imagine you're sitting in a cafe or at the airport and connect to the costless Wi-Fi," VPNpro said in its report. "You make sure to connect to a VPN before going online. Then, you become a notification on your VPN tool to install a recent update.

"Of grade, you do, because it'due south important to keep your software upwards-to-date," VPNpro said, then added that doing so could install ransomware, spyware or practically whatever kind of malware on your calculator.

You tin avoid such attacks, VPNpro said, by making certain to never download any software updates from an untrusted or open up Wi-Fi network. It's all as well easy for pranksters and criminals to ready malicious Wi-Fi hotspots with innocuous names similar "Starbucks Wi-Fi" or "AT&T Gratuitous Hotspot."

And, of grade, y'all tin avoid near malware attacks, no matter how they arrive on your reckoner, past running one of the best antivirus programs.

Update from VPNpro

After getting blowback from some of the VPN providers who vicious into the "intercepted" but not totally hacked category, VPNpro added these paragraphs to its initial report.

If a VPN has a "Yes" for the question "Can we intercept the connection?," this means that the VPN software had no additional certificate pinning or similar procedures in place that would preclude united states of america from intercepting the communication with the update network requests. We were able to intercept the connexion for vi of the VPNs, while xiv had the proper certificate pinning in identify.

In general, some readers mistakenly causeless that "intercepting communications" meant that we were intercepting the communications betwixt the user and VPN server, only in reality our enquiry is almost updates and the client endpoints, and not about touching the VPN connexion.

If a VPN has a "Aye" for the question "Did it connect while being intercepted?," this means that the VPN software established a connection to VPN server while being on a malicious connectedness. If the respond is "No." it didn't connect. In our tests, 4 of the tiptop twenty VPNs established this connexion, while 16 of the VPNs did not connect.

However, considering our POC was based on pushing a fake update through the app, and since those VPNs (CyberGhost, Hotspot Shield, Hide Me and TorGuard) didn't accept it, we didn't consider this equally a vulnerability.

Paul Wagenseil is a senior editor at Tom'southward Guide focused on security and privacy. He has too been a dishwasher, fry cook, long-haul driver, lawmaking monkey and video editor. He's been rooting effectually in the information-security space for more than than xv years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom'south Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown upwardly in random Tv set news spots and even moderated a panel discussion at the CEDIA home-technology briefing. Y'all tin can follow his rants on Twitter at @snd_wagenseil.

Source: https://www.tomsguide.com/news/vpn-mitm-attack

Posted by: gauthierherand85.blogspot.com

Hackers can use VPNs to hijack your PC: How to protect yourself