Looking for a reliable VPN service? Discover why the NordVPN security audit is a game changer
Nord Security, the company behind NordVPN and other products, requested an extensive security audit of NordVPN applications, add-ons, web services and APIs in June 2022. The audit was carried out by Cure53, a Germany company specialized in security audits.
Cure53 was tasked to conduct a penetration test and source code audit against "NordVPN servers, infrastructure, and NordVPN desktop applications for Windows, Linux, and macOS". The audit lasted from July 2022 to October 2022 and was compartmentalized into three work packages.
Note: Bitwarden, makers of the password management service, posted the results of a security audit of Bitwarden by Cure53 today as well.
The results of the audit have been published by NordVPN on the official company website. There, interested users find the two Cure53 reports.
The researchers identified a total of 6 vulnerabilities and 17 miscellaneous items with "lower exploitation potential". While the number of identified items appears large, Cure53 notes that the scope of the audit was also large, as it involved applications, extensions, infrastructure, source code and web services that NordVPN operates.
NordVPN fixed all security issues that the researchers identified during the audit. Cure53 approved the patches and confirmed that NordVPN implemented the mitigations correctly.
Tip: you can check out our latest NordVPN review here.
NordVPN: the major security issues
One of the issues received a critical rating, two a high rating. The critical issue affected the NordVPN Daemon on Linux systems. The researchers noticed that it embedded "the environment variables of a foreign process into the command line" to send desktop notifications on KDE and Gnome systems.
The first security issue rated high affected NordVPN on macOS systems. The privileged VPN helper wrote logs to user-owned file locations. An attacker with user privileges could exploit this with symlinks to "write log entries to any root-owned file".
The third issue, also rated high, affected NordVPN on macOS again. It could be exploited by an attacker to load an arbitrary extensions. The remaining security issues received a severity rating of medium or lower.
Cure53 provides an extensive commentary on its findings in the reports. The conclusions include additional information on the applications, code and infrastructure analyzed during the audit.
The researchers found several areas in which default configurations were used. The Docker configuration, for example, relied on several default configurations that the researchers considered insecure.
NordVPN has addressed these issues in the meantime, which means that they should not be considered a potential security issue anymore.
NordVPN is a popular VPN service that is available in most regions. Third-party audits are carried out to identify potential issues and to fix them, but they are also used by companies to improve transparency and trust.
Internet users may be more inclined to trust an audited service, or one that is audited regularly by third-parties, than a service that has never been audited.
Now You: do you use VPNs?
Never use a VPN providers application. They have always been riddled with bugs and telemetry. All you need is the OpenVPN software and the .ovpn file. A VPN kill switch (Such as vpnnetmon), and you’re good to go. VPN applications tend to be extremely bloated too.
Where I am Nord only provide half of their services, so if there is anything in their client software that can only be used with that software people in my location don’t need it.
The major problem with Nord is their terrible customer support. They are dismissive and the answer to EVERY single problem you report is “DNS issue”. They will make you spend weeks doing irrelevant tests and changes, and oft times their advice is just bad aadvice.
They recently purchased a bunch of IP addresses from a company in Norway. Their Sydney servers were allegedly running short of IP addresses (All evidence to the contrary though).
Many websites use IP Location databases, so when Nord purchased these IP addresses, they didn’t tell the DBs that and so for the best part of a year people were having problems as they were being reported as being in Norway when in fact that were in Australia.Paypal is one particularly vicious company that hates customers. Connect with one of those servers and you violate their user agreement and will get suspended or banned.
When asked to update the DBs they said “Not our problem”. Today, almost a year later some DBs are still reporting the IPs as being located in Norway and still breaking website and email services.
The only other alternatives here are PIA, and they are now owned by Kape Technologies who are quite untrustworthy, and ExpressVPN which is extremely expensive given the exchange rate.
When it comes time to renew your subscription they don’t make it easy. Despite the issues I’ve been with them for 5 years (if there was a better option I’d leave), but every renewal has been a major drama.
For customer service I’d rate them a 2/10. The VPN service itself though is quite reliable and I would rate 7/10.
“Never use a VPN providers application.”
More succinctly they are loaded with analytics spyware which keeps track of and reports your every move.
The very issue VPN data mining subscribers are paying to avoid is now running local on their device. They irony is incredible.
The no-log policy is meaningless as it only applies to the VPN company itself NOT its business associates. A simple test is to use a browser ad-blocker and see who is lurking on the VPN’s website.
You can then accurately assume they are also running on the client Trojan-horse software you install.
My solution is to use a Mullvad VPN on a household DD-WRT router. On my iPhone I use their client program. No issues.
+1 for Mullvad. If you want privacy, not hype (and are not primarily using a VPN in getting around steaming geo-blocking, which is not Mullvad’s strong suit), their track record is solid.
Audits are helpful, but they are not magic; they are just a snapshot taken at one point in time. I suggest choosing a VPN with visible ownership, effective managment and a history of the doing the right thing, not just a single 3rd-party audit..