Author: Amy Babinchak, MSP, IT Influencer, & President of the National Society of IT Service Providers

There’s a time and a place for a VPN

Site-to-site communications – certainly. Standing in front of a necessary RDP connection – certainly. On your laptop or mobile phone to protect your privacy – maybe or maybe not.

There’s a great deal of interest in protecting privacy on mobile devices. This idea includes the activity on both your phone and laptops as they travel from WIFI to WIFI or operate over cellular and it’s not just for the paranoid it’s actually a security best practice. But are end-users getting taken advantage of? As an MSP, we need to provide them with some guidance and maybe even scare them a bit because it’s ugly out there, and they are getting taken advantage of.

Here’s what I tell my clients

Most VPN applications available in the app store for your mobile device are actually spy apps.

Most VPN applications available in the app store for your mobile device are actually spy apps. Let me try to explain something that is very technical, in a hopefully clear manner.

Let’s review how a VPN works

Most people think that a VPN works like the picture below. You’re on your computer or phone running a VPN app to protect the data that you’re sending and not be tracked, there’s a VPN encrypting your data and sending it to the destination app or website on the Internet. While it’s technically true, they have not told you something very important about the green tube in the image below.

 

The secret to VPN and why it’s such a good way for criminals to obtain your data by providing you with the VPN app, is because your traffic is actually redirected from the VPN server, unencrypted, and then sent to its final destination. Follow the green line below and notice that it doesn’t stop at the Internet. Your internet traffic gets encrypted by the app on your device. This app sends the encrypted data to a VPN server.

 

Here’s where VPN security can fail. That VPN server is owned by the company that sold or provided the VPN app to you. Your data is unencrypted by the VPN server, then sent unencrypted to its final destination. (see the dotted line below) Therefore, you must trust that VPN server completely. It can read everything you send if it wants to. It can even modify the payload.

Those VPN server destinations can be in hostile countries, run by organized crime, serving up malware to you, or selling your information.

Those VPN server destinations can be in hostile countries, run by organized crime, serving up malware to you, or selling your information. This is why you must know who runs the VPN server and why you must trust them like you trust no one else because this VPN server will know everything about you.

And then I give them a list of VPN apps to avoid that I obtained from publicly published lists of bad VPNs from various articles and industry publications.

No VPN is better than a bad VPN

If you don’t have a VPN, then you might get your data sniffed but if you have a bad VPN you WILL get your data sniffed. Until I had a client with a problem, I didn’t realize the extent of the problem until I read this: academic study of VPN apps in the Android store:

>> “…75% of them use third-party tracking libraries and 82% request permissions to access sensitive resources including user accounts and text messages.”

>> “…over 38% of them contain some malware presence according to VirusTotal”

>> “…18% of the apps do not mention the entity hosting the terminating VPN server.

>> Our network measurements also suggest that 16% of the analyzed apps may forward traffic through other participating users in a peer-forwarding fashion rather than using machines hosted in the cloud.”

>> “…18% of the VPN apps implement tunneling protocols without encryption” 

>> “…66% of the analyzed VPN apps do not tunnel IPv6 and DNS traffic through the tunnel interface respectively due to lack of IPv6 support, misconfigurations or developer-induced errors”

>> “We identified two VPN apps actively injecting JavaScript code on user’s traffic for advertisement and tracking purposes and one of them redirects e-commerce traffic to external advertising partners.”

>> “Four of the analyzed VPN apps compromise users’ root-store and actively perform TLS interception...”

And in addition, they also identified that some of the popular VPN apps have endpoints hosted with home-based ISPs. You can read that as someone’s Comcast router at home. How much do you trust a random stranger’s basement?

This is such a mess.

Is there a safe VPN?

Yes, there is.

We can think of VPNs as having two purposes. One type connects you securely to your office computer or office server. The other type encrypts all traffic regardless of the final destination and is commonly called a privacy VPN.

Let’s look at solutions for both types of VPNs.

VPN to your office

You probably already own this VPN software. If you use a business-class firewall then it will generate a unique VPN package that is tied to your computer and your credentials. If a connection tries to be made from another computer or another you, then the connection will fail. This VPN tunnel is terminated at the firewall and nowhere else, so its trustworthy because you own the VPN endpoint (firewall). To use this VPN, you turn it on when you want to connect to the office and you turn it off when you are finished.

VPN for privacy

A privacy VPN is recommended when you are using your phone or computer on a network that you don’t trust. You might already own a Privacy VPN too. The most common example is when you’re in a public place like a coffee shop, restaurant, friend’s home, or other business including your client or customer. These are all places where you do not have firsthand knowledge of the network health that you are joining. In that case, you would want to use a privacy VPN. Privacy VPNs are commonly used on phones and computers for general surfing and email usage. They are also used for businesses that don’t have a central office network but instead are using all cloud apps.

These privacy VPNs are where all of the VPN troubles listed above reside. We can solve that problem by making sure that we know and trust the VPN server. To do that, you’re going to have to pay for the VPN service. Tip #1 is to avoid free VPN applications. This will keep you away from the vast majority of the problems out there.

Do a bit of research.

>> Use your search engine and look for the negatives

>> Ignore simple **** ratings. They’ve likely been stacked

>> Go with a name you know and trust

>> Start with your trusted security provider

Our advice

If you haven’t already talked to your clients about the VPN problem, then you really need to.

As MSPs, we have a responsibility to educate our clients. The war in Ukraine and continued nationalism in the United States have brought forward security and privacy issues for many people. If you haven’t already talked to your clients about the VPN problem, then you really need to. Be prepared with your solution to the problem and provide that guidance. Businesses are looking to experts in their vendors to be proactive in providing them guidance through this crazy world of security and MSPs can absolutely do this. We help businesses pick apps every day and a VPN app is no different.

Here’s the rest of the message that I told my clients: In short, if you downloaded a VPN app to your phone or computer, speak up now and probably uninstall it now. Let us help you get set up with a legitimate safe VPN service. You probably already own one.


About the Author

Amy Babinchak is a highly respected technology business and M&A expert, influencer, thought leader, and President of the National Society of IT Service Providers. Her companies have won many awards, and we are honored that she’s a member of the Modern MSP Community.