NordVPN Plans Security and Privacy Upgrades After Hack

NordVPN has announced that they are instituting new measures to better enhance security and to proactively detect security issues in their infrastructure after one of their server was hacked.

Last week BleepingComputer reported that multiple VPN providers were hacked and a user was able to gain full root access to one of their servers. These servers were colocated at a third-party hosting company where the hacker was allegedly able to gain access through an unsecured IPMI remote management interface.

NordVPN was one of the VPN providers who had a server hacked and while they stated that the server did not contain any logs, user names and passwords were not accessed, and that data could not be decrypted, the attacker did have full access to this server.

Even though NordVPN stated that this hack did not cause any damage, some were not convinced and felt that it may have been possible for an attacker to decrypt some of the traffic at the time of the attack.

New security measures being introduced

In a statement sent to BleepingComputer, NordVPN outlines how they plan on instituting five new security measures in order to better protect their infrastructure.

To start, NordVPN is hiring cybersecurity consulting firm VerSprite to perform penetration testing on NordVPN's infrastructure in order to discover weaknesses and resolve any discovered vulnerabilities.

They are also introducing a bug bounty program so that independent security researchers can discover vulnerabilities and report them to NordVPN for a bug bounty reward. NordVPN has told BleepingComputer that they have not decided as of yet if they will create a self-managed bounty program or use a company like HackerOne.

The third new security measure is to perform a "full-scale" third-party security audit of their infrastructure, VPN software, backend, hardware, source, and internal procedures. NordVPN has not stated who will be performing this audit.

To protect their servers from unauthorized access or unknown "features" such as IPMI devices that got them into this trouble in the first place, NordVPN plans on colocating only dedicated servers that they exclusively own. This means that they will no longer rent servers from third-party hosting companies, which crosses a security boundary that they no longer can control.

The fifth, and final, security measure is to upgrade their entire infrastructure of 5,100 servers to RAM servers. According to NordVPN, this will allow them to deploy servers where nothing is stored locally, including the operating system.

"Diskless servers. NordVPN is planning to upgrade their entire infrastructure (currently featuring over 5100 servers) to RAM servers. This will allow to create a centrally controlled network where nothing is stored locally — not even an operating system. Everything the servers need to run will be provided by NordVPN’s secure central infrastructure. If anyone seizes one of these servers, they'll find an empty piece of hardware with no data or configuration files on it."

This does not quite make sense as even servers hosted entirely in RAM can still be hacked. According to a statement from NordVPN they will be restricting SSH access to their IP addresses and that remote management would require a restart, which wipes the data in RAM.

"The only way to access the server with OS already booted is over firewalled SSH (Secure Shell) connection. However, SSH would only be available for us to access and only over a single IP address, whitelisted on the system. Meanwhile, any access over a remote management system would require a server restart, which would immediately wipe out all the data. Therefore, moving to RAM servers would virtually eliminate the possibility of unauthorized access over IPMI."

While this definitely increases security, if there any other accessible services and those were hacked, attackers could still gain access to the machine and the data currently running on it.

Disclosure: BleepingComputer is an affiliate of NordVPN.

Update 10/29/19 6:24 PM EST: Added statement from NordVPN about RAM servers.