According to a recent tweet of yours, NordVPN doesn't offer the sort of "military-encryption" that it claims to, can you elaborate furthermore on this statement?
The term "military-grade encryption" is vapid; it has no inherent meaning, but it's meant to trick people into believing the encryption is secure. NordVPN uses this term a lot in their marketing. A quick decompile and stroll through their Android app's code revealed the snippets I screencapped (mirror) shows that it's not great.
Why do you think that this kind of mechanism for encryption is vulnerable and not safe for its user base?
This requires breaking down what they're doing exactly to understand. They're using AES-CBC, which is the AES block cipher in CBC mode.
In order to use AES-CBC securely:
- Each message should have a distinct initialization vector (IV). It's very important that these are both never reused and unpredictable. This implies generating them from a cryptographically secure PRNG (
/dev/urandom). A hard-coded IV is unsafe with CBC mode. - The ciphertext and IV must be covered by an authentication tag. e.g. HMAC-SHA256. Otherwise, you introduce the risk of padding oracles.
A hard-coded key is a total game over for this protection.
To be clear, this is their Secure Preferences storage, local to the device, not the encryption that NordVPN using on the wire. However, given that they copied and pasted it from StackOverflow, it shows that they have a very low quality QA process.
Have you reported about this flaw to NordVPN before public disclosure?
No.
Is this class of security vulnerability affecting multiple VPN providers?
Possibly. I haven't looked at what other VPN providers are doing, since I don't use VPNs. I use WireGuard for my company VPN purposes, and Tor when I want to hide my IP address.
How did you manage to RE NordVPN's software if they have so strict mechanisms in place to resist that?
It was trivial.
What does it show about VPN software and it's providers in general? How can one make the wise decision in choosing the right software to guard anonymity?
Don't use VPN services. They're typically run by charlatans. If you need a VPN, set one up yourself. Then you can guarantee whatever privacy protections you desire.
Can you tell us a bit more about yourself as well?
I'm an application security and cryptography engineer, mostly known in the PHP community for getting libsodium into the PHP standard library and writing a pure-PHP polyfill of (most of) libsodium.