VPN servers seized by Ukrainian authorities weren’t encrypted
Privacy tools seller Windscribe said it failed to encrypt the company’s VPN servers recently confiscated by Ukrainian authorities, a mistake that allowed authorities to impersonate Windscribe servers and capture and decipher the traffic passing through them.
The Ontario, Canada-based company said earlier this month that two servers hosted in Ukraine were seized as part of an investigation into activity that took place a year earlier. The servers, which ran OpenVPN virtual private network software, were also configured to use a setting that was deprecated in 2018 after security research uncovered vulnerabilities that could allow adversaries to decrypt the data.
“On the disk of these two servers was an OpenVPN server certificate and its private key,” wrote a Windscribe representative in a July 8 post. “Although we have encrypted servers in high sensitivity regions, the servers in question were running a legacy stack and were not encrypted. We are currently implementing our plan to address this. ”
Windscribe’s admission highlights the risks posed by an explosion of VPN services in recent years, many of which come from companies few people have heard of before. People use VPNs to channel all of their internet traffic through an encrypted tunnel, to prevent people on the same network from being able to read or tamper with data, or to detect the IP addresses of two communicating parties. The VPN service then decrypts the traffic and sends it to its final destination.
By not following standard industry practices, Windscribe has largely denied these security guarantees. While the company has attempted to minimize the impact by defining the requirements an attacker would have to meet in order to be successful, those conditions are precisely the ones VPNs are designed to protect against. Specifically, Windscribe said, the conditions and potential consequences are:
- The attacker has control over your network and can intercept all communications (privileged position for MITM attack)
- You are using a legacy DNS resolver (legacy DNS traffic is unencrypted and submitted to MITM)
- The attacker has the possibility to manipulate your unencrypted DNS requests (the DNS entries used to choose an IP address of one of our servers)
- You are NOT using our Windscribe applications (our applications connect via IP and not DNS entries)
The potential impact for the user if all of the above conditions are true:
- An attacker could see unencrypted traffic inside your VPN tunnel
- Encrypted conversations such as HTTPS web traffic or encrypted email services would not be affected
- An attacker would be able to see the source and destinations of the traffic
It is important to remember that:
- Most internet traffic is encrypted (HTTPS) inside your VPN tunnel
- No historical traffic is at risk thanks to PFS (Perfect Forward Secrecy) which prevents the decryption of historical traffic, even if you have the private key of a server
- No other protocol supported by our servers is affected, only OpenVPN
Three years late
Besides the lack of encryption, the company also uses data compression to improve network performance. Research presented at the 2018 Black Hat Security Conference in Las Vegas revealed an attack known as Voracle, which uses clues left in compression to decrypt data protected by OpenVPN-based VPNs. A few months later, OpenVPN deprecated the feature.
The privacy tool maker said it was revamping its VPN offering to provide better security. The changes include:
- Discontinue use of its current OpenVPN certification authority in favor of a new one that “follows industry best practices, including the use of an Intermediate Certification Authority (CA)”
- Transition all servers to function as in-memory servers without hard disk support. This means that all data that machines contain or generate lives only in RAM and cannot be accessed after a machine has been shut down or restarted.
- Implementing a forked version of Wireguard as the primary VPN protocol
- Deploy a “resilient authentication backend” to allow VPN servers to function even in the event of a complete failure of the main infrastructure
- Enabled new application features, such as the ability to change IP addresses without disconnecting, requesting a specific and static IP address, and “client-side multi-hop ROBERT rules that are not stored in any database”
In an email, Windscribe director Yegor Sak explained the steps his company has taken. They understand:
1. All the keys necessary for the operation of the server are no longer permanently stored on any of our servers and only exist in memory after they have been put into service.
2. All servers have short-lived certificates and unique keys generated from our new CA which are rotated
3. Each server certificate has a common unique identification name + SAN
4. New OpenVPN client configurations enforce X509 server certificate name verification using common name which is unique.
He was exceptionally outspoken about the forfeiture, writing:
Until then, we find no excuse for this omission. The security measures that should have been in place were not. After performing a threat assessment, we believe that the way this was addressed and described in our article was the best step forward. It reached as few users as possible while transparently addressing the unlikely hypothetical scenario resulting from the seizure. No user data was or is at risk (the attack vector for using the keys requires the attacker to have full control over the victim’s network with several preconditions described in the article above) . The hypothetical situations described are no longer usable as the final AC sunset process was already completed last week, July 20.
The number of active users of the service is not clear. However, the company’s Android app lists over 5 million installs, indicating that the user base is likely large.
The seizure of Windscribe servers underscores the importance of the type of basic VPN security hygiene that the company has failed to adhere to. This, in turn, highlights the risks posed when people rely on little-known or untested services to protect their internet use from prying eyes.