Can VPNs Be Hacked? We Did the Research, Here’s the Guide
People often wonder if VPNs allow room for hackers to exploit or break them. Find the definitive answer to this question with our in-depth analysis. Share
What is a VPN?
A Virtual Private Network (VPN) allows you to create a secure virtual tunnel through the Internet to another network or device. If you access the Internet from this virtual tunnel, it is difficult for anyone – including your ISP – to snoop on your browsing activities.
VPNs also help you disguise your location anywhere in the world and unlock geographically restricted services. A VPN protects the confidentiality (data remains secret) and integrity (data remains unaltered) of messages as it travels over the public Internet.
Establishing one of these secure connections is relatively easy. The user first connects to the internet through an ISP and then initiates a VPN connection with the VPN server using a client (locally installed) software. The VPN server fetches the requested web pages and returns to the user via the secure tunnel; thus, keeping the user data secure and private over the Internet.
How does VPN Encryption Work?
The VPN protocol is an agreed set of rules for data transmission and encryption. Most VPN providers give users the option to choose from several VPN protocols. Some of the most used protocols include: Point to Point Tunnelling Protocol (PPTP), Layer Two Tunnelling Protocol (L2TP), Internet Protocol Security (IPSec) and OpenVPN (SSL/TLS).
In order to fully understand how a VPN protects your privacy, we need to dig a little deeper into the science of encryption. VPN uses a technique known as ‘encryption’ to make your readable data (plaintext) completely unreadable (cipher text) by any person that intercepts it as it travels through the Internet. An algorithm or cipher dictates how the encryption and decryption process takes place within the VPN protocols. VPN protocols employ these cryptographic algorithms to obscure your data in order to keep your browsing activities private and confidential.
Each of these VPN protocols has its strengths and weaknesses depending on the cryptographic algorithm implemented within it. Some VPN providers give users the option to choose from different ciphers. The algorithm or cipher can be based on any of these three classifications: symmetric, asymmetric, and hashing algorithm.
Symmetric encryption uses one key to lock (encrypt) and another to unlock (decrypt) data. Asymmetric encryption uses two keys, one for locking (encrypting) and the other for unlocking (decrypting) data. The table below is a summary comparison between Symmetric and asymmetric encryption.
|Keys||One key is shared among multiple entities||One entity has the public key, the other has the private key|
|Key exchange||Requires secure mechanism for sending and receiving keys||Private key is kept secret by the owner while the public key is available to everyone|
|Speed||Less complex and faster||More complex and slower|
|Strength||Less harder to break||Harder to break|
|Scalability||Good scalability||Better scalability|
|Use||Bulk encryption i.e. everything||Only key distribution and digital signatures|
|Security service offered||Confidentiality||Confidentiality, authentication and non-repudiation|
|Examples||DES, Tipple DES, AES, Blowfish, IDEA, RC4, RC5 and RC6||RSA, ECC, DSA, and Diffie-Hellman|
Asymmetric cryptography is the solution to the limitations inherent in symmetric cryptography (as shown in the table above). Whitfield Diffie and Martin Hellman were among the first group that set out to address these shortfalls by developing an asymmetric algorithm called Diffie-Hellman.
It is a popular cryptographic algorithm that is fundamental to many VPN protocols including HTTPS, SSH, IPsec, and OpenVPN. The algorithm lets two parties that have never met before negotiate a secret key even when communicating over an unsecured public channel such as the Internet.
Hashing is a one-way (irreversible) encryption used to protect the integrity of transmitted data. Most VPN protocols use hashing algorithms to verify the authenticity of messages sent via the VPN. Examples include MD5, SHA-1, and SHA-2. Both MD5 and SHA-1 are no longer considered secure.VPNs can be hacked, but it’s hard to do so. The chances of being hacked without a VPN is significantly greater than being hacked with one.
Can Someone Actually Hack into a VPN?
VPNs remain one of the most effective means of maintaining online privacy. Nevertheless, it’s important to note that pretty much anything can be hacked especially if you are a high-value target and your adversary has enough time, funds and resources. The good news is that most users do not fall into the “high-value” category and therefore unlikely to be singled out.
Hacking into a VPN connection involves either breaking the encryption by taking advantage of known vulnerabilities or stealing the key through some crooked means. Cryptographic attacks are used by hackers and cryptanalysts to recover plaintext from their encrypted versions without the key. However breaking encryption is computationally demanding and time-consuming, and may take many years to do.
Most of the efforts usually involve stealing the keys which is a lot easier than breaking the encryption. This is what spy agencies typically do when confronted with such challenges. Their success at doing this is not by math, but by a combination of technical trickery, computing power, cheating, court orders and behind-the-scenes persuasion (backdoors). The math behind encryption is incredibly strong and computationally complex.
Existing VPN Vulnerabilities and Exploitations
Prior revelations by the US whistle blower Edward Snowden and security researchers have shown that the US spy agency (NSA) did crack the encryption behind the potentially huge amount of internet traffic, including VPNs. The Snowden documents show that NSA’s VPN decryption infrastructure involves intercepting encrypted traffic and passing some data to powerful computers, which then return the key.
Security researchers Alex Halderman and Nadia Heninger also presented convincing research suggesting that indeed the NSA did develop the capability to decrypt a large number of HTTPS, SSH, and VPN traffic in an attack known as Logjam on common implementations of the Diffie-Hellman algorithm.
Their success was based on the exploitation of a weakness in the implementation of Diffie-Hellman algorithm. The root cause of this weakness is that encryption software uses a standardized prime number in its implementation. The researchers estimated it would take about a year and a few 100M dollars to build a powerful computer that would be able to crack a single 1024 bit Diffie-Hellman prime (which is well within the NSA’s annual budget).
Unfortunately, it so happened that only a few prime numbers (less than 1024 bit) are commonly used in real life encryption applications such as VPN – which makes it even easier to break. According to Bruce Schneier, “the math is good, but math has no agency. Code has agency, and the code has been subverted”.
Should You Still Use a VPN?
For service providers, the research team recommends the use of 2048-bit or more Diffie-Hellman keys and also published a guide to its deployment for TLS. The Internet Engineering Task Force (IETF) also recommends the use the latest revisions of protocols which require longer prime numbers.
Spies may be able to crack primes commonly used in Diffie-Hellman keys up to 1024 bits (about 309 digits) in length. Primes in 2048-bit keys are going to be a real headache for them, meaning the spies won’t be able to decrypt data secured using these keys for a very long time.
For users, while it’s true that the spy agencies have exploits against VPN and other encryption protocols that it uses to target encrypted traffic, you’re still much better protected than if you communicate in clear text. While your computer can be compromised, it would cost them time and money – this makes it expensive for them. The less obvious you are, the safer you are.
According to Edward Snowden, “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.” As much as possible, avoid VPNs that are primarily based on MD5 or SHA-1 hashing algorithms and PPTP or L2TP/IPSec protocols. Go for those that support current versions of OpenVPN (considered extremely secure) and SHA-2. If unsure which algorithm your VPN uses, refer to the VPN documentation or contact support.
VPN is your friend. Trust encryption, trust the math. Maximize its use, and do your best to ensure your endpoint is also protected. That’s how you can remain secure even in the face of the crackdown on encrypted connections. Here is a list of the best VPNs you can trust.