Can VPNs Be Hacked? We Did The Research, Here’s the 2019 Guide
People often wonder if VPNs allow room for hackers to exploit or break them. Find the definitive answer to this question with our in-depth analysis. Share
A VPN or virtual private network is one of the best ways to secure your internet connection and keep your data private. However, all of that protection amounts to nothing if a VPN can be easily hacked. How secure is your VPN service? We decided to find out. In the end, it comes down to encryption and how much your VPN leaks.
VPNs work by creating a secure virtual tunnel through the Internet to another network or device. Using this virtual tunnel makes it difficult for anyone – including your ISP – to see your browsing activities.
A VPN protects the confidentiality and integrity of messages as they travel over the public Internet. This means your data remains secret and unaltered.
It’s easy to establish a secure connection. After you connect to your ISP, initiate a VPN connection through the software you’ve installed on your device. This software is also called the VPN client. From there, the VPN server fetches the requested web pages and returns them to you through a secure tunnel, thus keeping your data secure and private.
But how do you know if your VPN is truly secure? The top VPN services like NordVPN can be independently verified. Even so, we’ll walk you through the important aspects of VPN security below.
How Does VPN Encryption Work?
VPNs use a specific protocol to transmit and encrypt your private data. Each protocol is an agreed upon set of rules for data transmission and encryption. Most VPN providers give users the option to choose from several VPN protocols. Some of the most used protocols include: Point to Point Tunnelling Protocol (PPTP), Layer Two Tunnelling Protocol (L2TP), Internet Protocol Security (IPSec) and OpenVPN (SSL/TLS).
OpenVPN is an open-source protocol, which means anyone can look for and patch vulnerabiliies. It’s considered one of the best options for VPN security. If you’ve used a premium VPN service like NordVPN or ExpressVPN, then you’ve likely used OpenVPN protocol.
In order to fully understand how a VPN protects your privacy, we need to dig a little deeper into the science of encryption. VPNs use encryption to make your readable data (plaintext) completely unreadable (ciphertext) in case it’s intercepted as it travels through the Internet. An algorithm or cipher dictates how the encryption and decryption process takes place within the VPN protocols.
Each protocol has its strengths and weaknesses based on the cryptographic algorithm implemented within it. Some VPN providers give users the option to choose from different ciphers. The algorithm or cipher can be based on any of these three classifications: symmetric, asymmetric, and hashing algorithm.
Symmetric encryption uses one key to lock (encrypt) and unlock (decrypt) data. Asymmetric encryption uses two keys, one for encrypting and the other for decrypting data. The table below is a summary comparison between symmetric and asymmetric encryption.
|Keys||One key is shared among multiple entities||One entity has the public key, the other has the private key|
|Key exchange||Requires a secure mechanism for sending and receiving keys||A private key is kept secret by the owner while the public key is available to everyone|
|Speed||Less complex and faster||More complex and slower|
|Strength||Easier to break||Harder to break|
|Scalability||Good scalability||Better scalability|
|Use||Bulk encryption i.e. everything||Only key distribution and digital signatures|
|Security service offered||Confidentiality||Confidentiality, authentication and non-repudiation|
|Examples||DES, Tipple DES, AES, Blowfish, IDEA, RC4, RC5 and RC6||RSA, ECC, DSA, and Diffie-Hellman|
Asymmetric cryptography is the solution to the limitations inherent in symmetric cryptography. Whitfield Diffie and Martin Hellman were among the first group that set out to address these shortfalls by developing an asymmetric algorithm called Diffie-Hellman.
Diffie-Hellman is a popular cryptographic algorithm that is fundamental to many VPN protocols including HTTPS, SSH, IPsec, and OpenVPN. The algorithm lets two parties that have never met before negotiate a secret key even when communicating over an unsecured public channel such as the Internet.
Hashing, in comparison, is a one-way, irreversible type of encryption. It’s used to protect the integrity of transmitted data, such as passwords. Most VPN protocols use hashing algorithms to verify the authenticity of messages sent via the VPN. Examples include MD5, SHA-1, and SHA-2. However, both MD5 and SHA-1 are no longer considered secure.
Can Someone Actually Hack into a VPN?
By encrypting your data and using private DNS servers, VPNs remain one of the most effective means of maintaining online privacy. Nevertheless, it’s important to note that anything can be hacked. This is especially true if you are a high-value target and your adversary has enough time, funds, and resources. The good news is that most users do not fall into the “high-value” category and are therefore unlikely to be singled out.
Hacking into a VPN connection involves one of two tactics. A hacker can either break the encryption through known vulnerabilities or steal the key through unethical means. Cryptographic attacks are used by hackers and cryptoanalysts to recover plain text from their encrypted versions without the key. However, breaking encryption is computationally demanding and time-consuming. It can take strong computers years to actually break the encryption.
Instead, most attacks tend to involve stealing the keys. Spy agencies, for example, generally prefer this method over the complex task of breaking encryption. Given that the math behind encryption is computationally complex, stealing a key is a far easier task. Their success comes from a combination of technical trickery, computing power, cheating, court orders, and behind-the-scenes persuasion.
VPNs can be hacked, but it’s hard to do so. Furthermore, the chances of being hacked without a VPN are significantly greater than being hacked with one.
Existing VPN Vulnerabilities and Exploitations
Edward Snowden and other security researchers previously revealed that the US spy agency, the NSA, did crack the encryption protecting a large amount of internet traffic, including VPNs. The Snowden documents show that the NSA’s VPN decryption infrastructure involves intercepting encrypted traffic and passing some data to powerful computers. The computers would then return the key.
Security researchers Alex Halderman and Nadia Heninger also presented convincing research suggesting that the NSA did develop the capability to decrypt a large number of HTTPS, SSH, and VPN traffic. This attack is known as Logjam.
Their success was based on the exploitation of a weakness in a common implementation of the Diffie-Hellman algorithm. The root cause of this weakness stems from the prime number used to implement the encryption. The researchers estimated it would take about a year and a few 100M dollars to build a powerful computer that would be able to crack a single 1024 bit Diffie-Hellman prime. This is a cost the NSA can afford, but it wouldn’t be enough to decrypt the multiple encryption keys that secure millions of websites and VPNs.
Unfortunately, the researchers found that only a few prime numbers are commonly used for 1024-bit encryption. This includes applications such as VPNs, and therefore, makes it even easier to break. According to Bruce Schneier, “the math is good, but math has no agency. Code has agency, and the code has been subverted”.
VPNs and IP Leaks
Of course, VPNs don’t need their encryption to be compromised to make your connection vulnerable. One of the simplest ways your data can be revealed to an outside party is via VPN leaks. Most frequently, this involves an IP leak. In the process of transmitting your data, your browser may still leak your real IP address. They may not have access to your traffic data in this case, but they can trace your location.
Sometimes, however, your traffic can leak while using a VPN, which would let your ISP know exactly what you’re viewing. Not only that, they’ll know who viewed it. You should also watch out for DNS leaks. For more on understanding the difference between DNS leaks and IP leaks, you can refer to our guide.
Learning to test and fix a leak is a useful skill if privacy is your biggest concern. We’ve also written a guide on how to test and fix a VPN leak.
Though most VPN companies claim they have DNS leak protection built into their software, we discovered that this isn’t exactly true for a number of VPN providers. Based on our research, these three top VPN services were leaking data.
Should You Still Use a VPN?
For service providers, the research team recommends the use of 2048-bit or more Diffie-Hellman keys and also published a guide to its deployment for TLS. The Internet Engineering Task Force (IETF) also recommends using the latest revisions of protocols which require longer prime numbers.
Spies may be able to crack primes commonly used in Diffie-Hellman keys up to 1024 bits (about 309 digits) in length. Primes in 2048-bit keys are more difficult, meaning the spies won’t be able to decrypt data secured using these keys for a very long time.
It’s true that the spy agencies have exploits to target VPNs and other encryption protocols. However, you’re still better protected than if you communicate in plain text. While your computer can be compromised, it would cost them time and money. The less obvious you are, the safer you are.
According to Edward Snowden, “Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on.” As much as possible, avoid VPNs that are primarily based on MD5 or SHA-1 hashing algorithms and PPTP or L2TP/IPSec protocols. Go for those that support current versions of OpenVPN (considered extremely secure) and SHA-2. If unsure which algorithm your VPN uses, refer to the VPN’s website or contact support.
VPNs are your friend. You can trust the math behind encryption. Maximize their use, and do your best to ensure your endpoint is also protected. That’s how you can remain secure even in the face of the crackdown on encrypted connections. But, how can you know which VPNs are truly secure?
Which VPNs Can’t Be Hacked?
Even if all VPNs can be hacked with enough time and money, there are several providers who have leak protection that actually works. Here are the top two VPNs that have been proven to have the best security.
There’s a reason NordVPN is one of our top overall picks when it comes to VPN services. As one of the largest server networks available, it’s a great choice for accessing content that’s subject to georestrictions. However, that doesn’t mean anything if NordVPN isn’t secure.
For starters, NordVPN offers users the option of using OpenVPN or IKEv2/IPSec. However, OpenVPN is its standard protocol. You’ll find that your traffic is protected by military-grade AES-256 bit encryption, which is very difficult to crack, even by brute-force attacks. That’s why it’s the level of encryption used to protect classified military secrets.
If you’re still worried about your data somehow leaking, you’ll have the option to use NordVPN’s double VPN feature. This encrypts your data twice by routing it through not one, but two foreign servers. This also makes it doubly hard to track your real location.
NordVPN is one of two VPN services that were independently confirmed to prevent leaking data, even when there were flaws in the websites themselves. Read our real user reviewsto see why NordVPN is such a popular choice in the world of cybersecurity. There are two separate kill switches you can enable to protect your data if your connection drops.
NordVPN also offers custom DNS settings to protect against DNS leaks. You can try it out for yourself for 30 days, and if NordVPN doesn’t provide the security you’re looking for, you can get a full refund, no questions asked.
NordVPN can unblock:
- Netflix, HBO, Hulu, Showtime, BBC iPlayer, Amazon Prime Video, and Sling TV.
- Yes, P2P specialty servers available.
NordVPN works on these devices:
- Windows, macOS, Android, iOS, Android TV, Linux, Chrome, and Firefox. It’s also compatible with routers.
ExpressVPN isn’t just the fastest VPN on the market. This premium VPN service offers users top-notch security without compromising on speed.
Most connections using AES-256 bit can significantly slow down your device given the effort it takes to place high-levels of encryption on data. However, ExpressVPN manages to implement military-grade security without any noticeable lags. In fact, in our speed test, ExpressVPN often made device connections faster.
With ExpressVPN, you’ll have a choice of protocols to use. OpenVPN is the standard, but its other options include L2TP/IPsec and PPTP. You can also try OpenVPN with UDP or TCP. To further ensure its customers’ security, ExpressVPN renegotiates a secret key once an hour, which maintains your protection even if a single key were intercepted by a malicious actor.
ExpressVPN gives users high-level DNS leak protection that was tested rigorously by outside parties. ExpressVPN can even prevent IP leaks that are frequently caused by tricky webpage configurations like WebRTC.
A premium product like ExpressVPN does come for a price, however, you can try it free for 30 days. If you don’t like it, ExpressVPN will give you your money back in full. See why customers love using ExpressVPN!
ExpressVPN can unblock:
- Netflix, Hulu, HBO, Amazon Prime Video, Showtime, Sling TV, DAZN, and BBC iPlayer.
- Yes, all servers support P2P activity.
ExpressVPN works on these devices:
- Windows, macOS, Android, iOS, Android TV, Linux, Chrome, and Firefox. It also offers an app for use with certain routers.
For our newbies guide to VPNs, click here.
Check out our exclusive discounts and coupons for top VPN services.
Here’s our recommendations for the best VPN free trials.
Here is a list of the best VPNs you can trust.