One of the main assets for protecting online activities are VPNs or Virtual Private Networks. Through what is known as a tunneling protocol, VPNs are responsible for encrypting a user’s online traffic and rendering their data unreadable. It’s a layer of security that many companies and end consumers have chosen to protect their privacy for a variety of reasons, and it’s so popular that nearly a quarter of internet users used a VPN last year.

So it is a very popular online protection measure, but as with other tools, a common question among its users is whether it can be hacked, and the answer is yes, technically all VPNs can be hacked because all software is vulnerable to hacks. . Of course, they are more difficult to achieve than with other types of tools, and if attackers are trying to do this with one of the highest quality tools, they can have a really hard time. Especially if you have a secure server infrastructure.

How does a VPN work?

In general, a VPN works by generating a private connection in which the activity performed on the Internet is encrypted and therefore unreadable. The user’s Internet data is redirected to the VPN server, which masks the user’s IP address and provides an additional layer of anonymity on the network. This is why they are often used to bypass geo-restrictions, as they allow targeted websites or networks to believe that whoever is trying to access them is in a different location than they actually are.

Additionally, encryption hides various types of sensitive data from ISPs, government authorities, and cybercriminals. These include the IP address, location of the device used to access the Internet, browsing history and online searches. There are several types of VPNs of varying sizes, but they all work in basically the same way. Let’s see what would be the options to hack them.

Hack a VPN by cracking its encryption

Cracking the encryption is one way to hack a VPN. For this, attackers can use cryptographic attacks, although they are likely to be successful only with ciphers that do not have a very well-implemented key. In any case, breaking VPN encryption is a process that consumes a significant amount of time and resources, so hackers are unlikely to have the patience necessary to achieve it.

Additionally, most current VPNs use AES (Advanced Encryption Standard) for encryption, specifically the AES-256 algorithm. This encryption standard uses a 256-bit key to encrypt and decrypt data and is one of the most secure encryption systems available today. It is practically unbreakable and with current technology it would take a long time to break it. That is why it is also used by banks and state entities.

VPNs that use older tunneling protocols

Another way hackers can break into VPNs is by exploiting old VPN tunneling protocols. These protocols are essentially a set of rules that determine how user data of a given virtual private network is managed. They also determine how this data is sent over a particular network.

Using VPNs that use old protocols such as PPTP or L2TP/IPSec reduces the security of networks because their security level is considered medium or low compared to more modern VPNs with updated protocols.

In particular, PPTP uses older technology and has known vulnerabilities that can be exploited by cybercriminals. L2TP/IPsec is slightly more current and has better security, but it also has slower performance than other more modern protocols. But they are the most modern, with protocols like OpenVPN, WireGuard and IKEv2 offering a good combination of high-level security and speed.

Vulnerable VPN through DNS, IP or WebRTC leaks

Cyber ​​attackers can also obtain user data through VPN leaks, i.e. user data leaked through a VPN tunnel due to an application bug or vulnerability.

The main types of such leaks are: DNS leaks, which occur when a VPN exposes internet activity to a provider’s DNS server despite being on an encrypted connection; IP leaks, when an IP address is exposed on the Internet; and WebRTC leaks, which include a leak using browser technology that causes websites to gain unauthorized access to a user’s IP address and bypass an encrypted VPN tunnel.

VPNs that log user data

VPN hacking can also be done if there are VPN providers that store user data without their consent. Although many providers of this type of network claim to have “no recording” policies, ensuring that they do not store user data, there have been times when VPNs have been found to store user information despite making sure they have policies like the ones mentioned .

Examples of real VPN hacks

This January, five zero-day vulnerabilities were discovered in Ivanti VPN. An unauthenticated attacker could use them to run code remotely and compromise systems, affecting nearly 30,000 Internet-connected systems it protects. Fortunately, since discovering these vulnerabilities, Ivanti has already released patches to fix some of them.

Another popular VPN, NordVPN, announced in 2019 that one of its third-party servers suffered a security breach in 2018. This was the only NordVPN server in Finland that was attacked due to misconfiguration of server data from which they did not receive a notification.

According to the company, no other servers or user credentials were affected by the incident. After the breach, they took all necessary measures to improve their security and have since conducted several audits to confirm that everything is in order. It is currently considered one of the most secure VPNs.

Additionally, there have been several occasions where VPNs with no-logging policies have been suspected or caught recording their users’ data. I went with IPVanish VPN in 2016 and Hotspot Shield VPN in 2017. As for Norton Secure VPN, despite having such a policy, Norton’s global privacy statement states that it stores user data, including device names, IP addresses, and URLs.

How to improve VPN security

There are several measures you can take to improve VPN security as well as improve the user experience. To begin with, if you are going to use it with some regularity, it is advisable to use the paid one. For very occasional use where you need to change your IP address, a free one might be enough, but if you’re going to use it regularly, it’s better to go with a paid one. In addition, some free ones sell their users’ data to third parties, mainly so that they can send them personalized advertising.

With a paid VPN, you will have a more secure experience overall and your data will not be sold to third parties. You’ll also have better support and customer service and more security. In any case, choose one that has no data logging policies that conduct independent audits to verify.

Considering what can happen with VPNs that use old protocols, it’s better to choose one that uses modern and updated protocols. Specifically OpenVPN, WireGuard or IKEx2 protocols. There are also proprietary protocols from certain VPN developers that offer high security, such as Lightway by Express VPN or NordLynx by NordVPN.

Apart from all this, it is important to know that a VPN usually includes various security features that further enhance protection. For example, what is known as a kill switch, which automatically blocks any connection between the system in use and the Internet that is not routed through an encrypted VPN tunnel. So if the VPN connection goes down, this feature prevents sensitive data from leaking. Not all VPNs include this feature, so it’s a good idea to check.