VPN vulnerabilities: what do they really mean and should you be worried?

Woman's hand hovering over a laptop in black and white
(Image credit: Unsplash / Sergey Zolkin)

The very best VPNs establish a secure encrypted connection between devices over networks allowing companies and organizations to share resources securely. They were originally intended to allow employees to “dial home” to their corporate mainframe but these days are also often used to access geo-specific services or protect people’s online privacy. You can find out more in our guide What is a VPN?

It’s easy to have a false sense of security from using a VPN, given that they use advanced encryption. Still not all VPNs are created equal, especially some of the less-than-stellar free VPNs, so may have security vulnerabilities in their setup and implementation. You also need to have a clear idea of the limitations of what a VPN can and can’t do. 

Rogue users 

Using a VPN alone won’t always protect your systems from hackers. Naturally someone monitoring your connection won’t be able to decipher encrypted information sent over a secure VPN tunnel. Still, this won’t protect you from someone already connected to the virtual private network.

This is a particular concern if you have a large network as by default VPNs follow an “all or nothing model”. Everyone connected can access all network resources and exploit them. You can reduce this risk somewhat by implementing a “zero trust network access”, which can limit access to certain parts of your network just to those who truly need it.

Unprotected connections 

Once a secure, encrypted connection is established across your VPN, attackers will find it almost impossible to read anything meaningful from monitoring your data traffic. But what if something goes wrong at the start?

If the initial connection between your VPN client and server fails, or drops out during use then by default many devices revert back to your former unencrypted connection. If users don’t spot this in time, their data could be at risk.

Fortunately, some providers offer a VPN kill-switch that monitors when this happens. When it occurs, it simply shuts down all network access until the secure connection is established again. You can check with your VPN provider to see if they offer this service. Even if they do, it’s worth testing it whilst accessing some unimportant data to make sure it’s up to scratch. 

Protocols and patching 

VPNs used IPsec protocols to send and receive encrypted data. With time, VPNs shifted to using SSL/TLS to secure connections. SSL and TLS are supported natively by servers and web browsers through implementations like the OpenSSL library, making VPN products much easier to create and set up. 

However, SSL and TLS can be exploited. Worse still, some of these weaknesses have carried through to VPNs that use them, particularly ones where hackers can gain access to authentication credentials like the private keys used to secure VPNs.

In 2019, researchers at the Black Hat Security conference gave a presentation on how hundreds of such vulnerabilities had been discovered in SSL VPNs along with a demonstration of how to “jailbreak” such networks. 

Unlike normal software products, it’s also not easy to install “patches” to fix such vulnerabilities, as doing so would involve shutting down the entire VPN. This would leave user data at risk.

DNS leaks 

Assuming that a user wants to use a VPN for privacy reasons, DNS leakage is a serious worry.

DNS acts as a virtual telephone directory for the internet, translating the web addresses you type into your browser into machine readable IP (Internet Protocol) IP addresses

All VPN services will establish an encrypted connection between the client and server if set up correctly. However, if the DNS ‘requests’ you make are also not managed by the VPN, then a bad actor may be able to find out which sites you visit. This is known as a DNS leak.

This can occur because your VPN service has left the default DNS servers offered by your ISP in place rather than requiring your device to use their own. But some VPN providers understand how vulnerable this can make your devices and forward all DNS requests to their own servers.  

Malware and phishing 

While VPNs can establish encoded connections between your devices in themselves they can’t do much to protect you from malware or phishing attacks.

In simplest terms, this means if you or anyone connected to your VPN download malware to their device and run it, your device will be affected in the same way as one that didn’t use a VPN. 

Similarly, should a user click on a phishing link and enter sensitive data, a VPN won’t help keep this data safe. You can reduce the risk of this happening by improving all-round security: make sure your antivirus software is up to date and install malware removal software and ad blockers.  

Protect against VPN weaknesses

VPNs are not a one-stop security and privacy solution. They need to be properly set up and maintained. You also need to be aware who else is connecting to them. 

If you feel the level of trust you have to give to these people is too great, you may prefer to move to a centralized cloud-based model for people in your organization - especially if you’re still running legacy VPNs, putting you at risk. This will allow you greater control over what resources they access.

If you’re simply accessing a VPN for personal use, choose a reputable provider who regularly conducts VPN audits to protect against weaknesses like these.  

Nate Drake is a tech journalist specializing in cybersecurity and retro tech. He broke out from his cubicle at Apple 6 years ago and now spends his days sipping Earl Grey tea & writing elegant copy.