VPN news today is dominated by a report which claims to have unveiled security flaws in a number of popular VPN providers which could have put user data at risk.
Such reports about software vulnerabilities are not uncommon and in usual circumstances, the provider in question will push out a fix, thank the researchers for their efforts, and maybe even pay out a bounty by way of thanks for helping to keep their service secure.
Not in this case though, with CyberGhost VPN, one of the providers, so angry about what they see as a smear against their service, that they are even threatening to take legal action against the website in question.
What researchers are claiming
The website in question is called VPNPro and it claims to offer professional advice on VPNs. It released a statement yesterday in which it claimed to have identified flaws in four VPN providers that could put users at risk.
The first claim related to PrivateVPN and Betternet.
It alleged that if a hacker could dupe you into connecting to a fake public VPN network, a fairly common way of scamming people, it was possible to convince their software to download a fake update containing malware or ransomware.
The report claims to have managed to push out a fake download containing the infamous WannaCry ransomware programme.
It added that PrivateVPN and Betternet had both been told about the flaw on 18th February and both had now patched it. Neither VPN has issued any statement to either confirm or deny this at the time of writing.
But it is the report’s claims against CyberGhost and infamous free VPN Hotspot Shield that have proved most controversial.
The report claimed that it was possible to intercept the communications between the VPN program and the app's backend infrastructure. This sounds like a pretty significant issue but as CyberGhost VPN has explained in a furious retort to the research, it really isn’t.
Fearmongering and false claims
Alexandra Bideaua, a spokesperson for CyberGhost VPN was contacted by CNet to get CyberGhost’s take on the claims.
She was unequivocal in condemning the claims and furiously pointed out that VPNPro had not told them about the report before sending it out to the press and has also failed to respond to subsequent requests for clarification. If this is the case, it is extremely bad practise indeed.
According to Bideaua, the report in question cannot be considered as valid scientific research by any reasonable measure. She offers three main reasons for this.
These are that the report has no clear stated methodology, no explanation of how the researchers carried out the attacks which supposedly intercepted the data, and no definition or clarification of the meaning of broad concepts used in the report like “intercept a connection.”
On the basis of our reading, it is difficult to argue with any of these three objections.
Bideaua also offers a powerful explanation of what the reports claims actually mean in layman’s terms. She claimed that it was similar to claiming that the contents of your mail were at risk of interception because you could see the mailman carrying his bag down your street.
What she means is that because your letter is sealed in an envelope and inside the bag there is no chance of anyone being able to read your mail.
In the case of CyberGhost VPN, they are claiming that it might be possible to intercept their encrypted data. But because it is secured with robust 265-bit AES encryption that is impossible to crack, this really doesn’t matter.
As Bideaua explains, to crack the information, hackers would need “extreme computational power and some million years to succeed.” She also added that CyberGhost VPN uses “secure app updating procedures that can't be interfered with by third parties.”
Legal action imminent
Far from acquiescing to the claims in the report, CyberGhost has accused VPNPro of playing on fearmongering for their own commercial purposes.
They have also said that they are planning to take legal action against VPN Pro unless they either provide evidence of a genuine security flaw with their VPN or issue a retraction and an apology.
Few would take issue with CyberGhost’s stance on the basis of the available evidence so far. Presumably, the only reason that HotSpot Shield hasn’t issued a similarly outraged response is that as a free VPN, flaws in their software have regularly been revealed previously.
The VPN market is awash with charlatans who are seeking to make a fast buck in a burgeoning sector without any real technical expertise.
If what CyberGhost claims is true, reports such as this undermine the credibility of the whole industry and will make people think security issues exist where there are none.
CyberGhost VPN has come under criticism for being acquired by technology giant KAPE, but until the point of publishing has not been the victim of any major security incidents that we are aware of.