Could Your Passwords Be at Risk When Using VPN Apps?
A Virtual Private Network – or VPN, in short – is supposed to make your virtual presence more secure. With a VPN account, you should be able to browse the web anonymously using a temporary IP address. Whether you are trying to hide some of your activity, or you simply want your virtual presence to be as anonymous as possible, it is unlikely that you would suspect your VPN app of choice to betray you. Unfortunately, it appears that it all depends on the app you install and use. Needless to say, if you downloaded some app that no one has ever heard of, you are at greater risk of exposing yourself to security issues. That being said, even well-reviewed apps could turn out to be not so trustworthy.
CERT and CISA warn about vulnerabilities of VPN apps
The CERT Coordination Center at the Carnegie Mellon University issued a vulnerability note regarding flawed VPN apps. This note was immediately pushed by the US Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency (CISA), and, hopefully, that is proof enough that this vulnerability must be taken seriously. According to the note, apps use unsecure session cookies to store authentication data. This information is also missing secure encryption, which means that it could be exposed during an attack. The vulnerability note specifically listed 5 different products by 4 different companies that contained the vulnerability. Here is a list of all of these products:
- GlobalProtect Agent 4.1.0 and earlier versions by Palo Alto Networks
- Pulse Desktop Client 9.0R2 and earlier versions and 5.3R6 and earlier versions by Pulse Secure
- Pulse Connect Secure 9.0R2 and earlier versions, 8.3R6 and earlier versions, and 8.1R13 and earlier versions by Pulse Secure
- Cisco AnyConnect 4.7.x and earlier versions by Cisco
- FirePass by F5 Networks, Inc.
According to the researchers, if an attacker manages to gain access to the session cookies used by these VPN apps during an attack, they could bypass authentication methods, which, in turn, could allow them to access applications that the user connects to via VPN sessions. Because the flaw has been found to affect earlier versions of GlobalProtect Agent, Pulse Desktop Client, and Pulse Connect Secure apps, users should immediately update the software to ensure that the latest versions are run. At the time of research, there was no information regarding the patches for Cisco AnyConnect and FirePass apps.
How to use VPN apps safely
If you are reading this report, the chances are that you have used one of the mentioned VPN apps in the past. Of course, depending on the app you use, you might fix the discussed problem by installing the latest version of the app, but that is not the only thing you should take care of. In fact, updating apps and upgrading them to the latest versions available is the most basic step that every user must know. The security of VPN apps goes way beyond that. First of all, you need to understand that a VPN app is NOT a security app, and you need appropriate security software to protect you and your virtual identity.
26% of Internet users in the world use VPN services. These services are most popular in Asia, where 30% of users employ it regularly. The VPN market is growing fast, and it is believed to reach 23.6 billion in 2019, and go up to 35.73 billion by 2022. Clearly, the demand for VPN apps is growing, and that means that the supply should increase also. With that, inadequate, unreliable, and even malicious apps could be created. Some of them could be poorly managed, and they could contain flaws permitting remote attackers to, for example, access authentication data. On the other hand, we could also face VPN apps exposing passwords deliberately. This is why it is also CRUCIAL to inspect and research the apps before downloading and using them.
If you install a legitimate VPN app that is supposed to offer a beneficial and reliable service, and you stay on top of updates to ensure that security flaws – if they exist – are patched in time, you might consider yourself safe. Not so fast. What about the password you set to secure the app? Your VPN password must be secure, and we have a few tips when it comes to that.
Secure VPN app password vs. generic password
Hopefully, it goes without saying that setting up a secure password is far more superior than typing in the first word that comes to your mind when creating it. Some VPN apps expose passwords due to existing flaws, and others are exploited because of the mistakes made by their users. Hacking a VPN password might be easier than you think, and placing a weak password does not help things AT ALL. Luckily, the solution is simple: You need to create a password that holds up. First and foremost, this password cannot be generic. Something like password123, myvpnpassword, or qwerty would not protect your VPN app against a 5-year-old. You want to create a password that is long, random, and contains various kinds of symbols. Here are a few great examples that were created using the Cyclonis Password Manager’s Password Generator: P^&2!9dMPC%, 4D13k3rch00m8hu630, or 9J6C+q=!+?@:!*:-+^?.
The second important rule of creating strong passwords is to never reuse/recycle them. If you think that one good, 20-character long password will protect every single account you own, you are sadly mistaken. Unfortunately, even strong passwords can be stolen if, for example, the service provider’s security is breached. In such a scenario, even a strong password can open the doors to other accounts that you own. The only downside to creating a strong VPN app password is that it might be hard to remember, which is exactly why we recommend installing Cyclonis Password Manager, a free password management tool that will encrypt and protect all of your passwords. If you know that a VPN app exposed passwords already, change them now and save them using Cyclonis to increase your security.