VPN apps a security risk, warns US Department of Homeland Security director Christopher Krebs

Nation state actors 'have demonstrated intent and capability to leverage VPN services… for malicious purposes'

US Department of Homeland Security director Christopher Krebs has warned that VPN services have been used by nation-state threat actors to eavesdrop on users.

In a letter obtained by CyberScoop, Krebs warns that if a US government employee were to use a poorly sourced VPN app on their device, it is possible that classified information could be compromised.

Chinese companies have access to the browsing data of millions of unsuspecting internet users around the world

"Nation-state actors have demonstrated intent and capability to leverage VPN services and vulnerable users for malicious purposes," warned Krebs. "The vulnerabilities are the ability of users to download untrusted VPN services and the lack of policy across organizations restricting their download."

The Android app store, in particular, is littered with low-cost or free VPN apps with connections to countries such as China, and opaque assurances over whether users' data security is respected or not.

AI & Machine Learning Live is returning to London on 3rd July 2019. Hear from the Met Office's Charles Ewen, AutoTrader lead data scientist Dr David Hoyle and the BBC's Noriko Matsuoka, among many others. Attendance is free to qualifying IT leaders and senior IT pros, but places are limited, so reserve yours now.

Furthermore, added Krebs, the US government has few effective mitigations against the risk of US government employees using VPN apps of dubious provenance.

"Policy restrictions vary across departments and agencies. However, the number and identity of government-operated mobile devices that have downloaded foreign VPN applications is unknown," warned Krebs.

He continued: "Even with the implementation of technical solutions, if a US government employee downloaded a foreign VPN application originating from an adversary nation, foreign exploitation of that data would be somewhat or highly likely.

Some of the biggest VPN apps in the world have ownership that can be traced back to high-censorship nations

"This exploitation could lead to loss of data integrity and confidentiality of communications transmitted over the application. Exposure of data would likely include contacts, user history, geolocation, photographs, and any other accesses granted by the user to the application."

The DHS's Cybersecurity and Infrastructure Security Agency (CISA) would monitor the situation, he concluded, although recommendations didn't go much further than recommending more training and guidance.

Simon Migliano, head of research at Top10VPN.com, backed up the warnings. "Some of the biggest VPN apps in the world have ownership that can be traced back to high-censorship nations that are extremely hostile to internet freedom and privacy," he said, adding that 60 per cent of the free VPN apps in both Apple's App Store and the Google Play store had some kind of "hidden" Chinese ownership.

These VPNs are not intended for the Chinese market. They are being heavily marketed everywhere else in the world

"This means Chinese companies have access to the browsing data of millions of unsuspecting internet users around the world. The research also uncovered the severe lack of expected user privacy protections among these services, leaving huge swathes of sensitive data ripe for abuse.

"It's worth pointing out that these VPNs are not intended for the Chinese market. They are being heavily marketed everywhere else in the world, dominating search results for VPN in the Apple App Store and Google Play, and gaining millions of new downloads every month."

Migliano went on to question why, if genuinely private VPNs are effectively banned in China, the companies would be providing such apps for people elsewhere in the world.

"Why would the VPN service providers put themselves at such risk of repercussion from their governments, if these authorities did not stand to benefit from the exploitation of the data flowing through their VPN server networks?" asked Migliano.

Delta is a new market intelligence service from Computing to help CIOs and other IT decision makers make smarter purchasing decisions - decisions informed by the knowledge and experience of other CIOs and IT decision makers.

Delta is free from vendor sponsorship or influence of any kind, and is guided by a steering committee of well-known CIOs, such as Charles Ewen, Christina Scott, Steve Capper and Laura Meyer.

Ten crucial technology areas are already covered at launch, with more data appearing and more areas being covered every week. Sign-up here for your free trial of the Computing Delta website.