Free VPN Security Risks
VPNs or Virtual Private Networks are a critical component of any security plan. A VPN leverages encryption to create a secure tunnel between endpoints or networks within a public network. This tunnel allows for a secure connection to your corporate network while also adding a layer of security to traditionally less secure protocols and services. Requiring VPNs for all off-network connections made our 2022 security checklist.
VPN usage is growing fast and generally driven by obvious security motivations, but privacy is often also a concern for users. VPN services allow users to change IP addresses which can obfuscate a user’s true geographical location. This ability to conceal identity and location along with securing data through an encrypted tunnel thwarts the common network traffic spying done by ISPs, browsers, and website ad networks allowing for improved user privacy.
However, user privacy benefits of VPNs can be eliminated when the VPN service is breached. The data of 21 million users was exposed in early 2021 when account logins for GeckoVPN, SuperVPN, and ChatVPN — all free VPNs — were listed for sale on the dark web. According to Malwarebytes, seven free VPN providers were responsible for 1.2TB of data leaks. Much of that data included user logs that the companies claimed were not even stored.
The consumer market for VPN services is growing fast and is ripe with fraud. Many consumer-based free VPN services are repackaging the same VPN service under various names in an effort to trick users. VPN services rely on an inventory of IP addresses they can make available to their users. Acquiring IP addresses through traditional channels is expensive — especially when your address requirements are in the millions to meet user needs. To avoid this expense, lower-tier consumer-based VPN services have been using the IP addresses of their users. This means when you install the VPN software, you are allowed to choose a different IP address than your own, but you are ultimately choosing someone else’s IP and someone else may be choosing yours. In this setting, users unknowingly open themselves up to routing harmful, or illegal traffic through their devices and network.
The effect of trying to offer a traditionally expensive service to consumers for the cheapest rate or even “free,” has resulted in many VPNs ultimately being repackaged botnets. These services often marketed as “free VPN” or “free proxy” are powered by software that turns the user’s PC into a traffic relay for other users. To make the offense worse, these discount VPN services rely on constantly adding users to maintain their inventory of IP addresses. And they often meet these new user quotas through pay-per-install affiliate programs that install the VPN software to unsuspecting users who are installing other programs. One popular free VPN offering known as “911” relied on this type of distribution for growth. Recently researchers at the University of Sherbrooke in Canada published an analysis of the China-based 911, and found there were roughly 120,000 PCs for rent via the service, with the largest number of them located in the United States.
The lesson here is simply that “free” is often too good to be true. And it’s definitely not worth risking your organization’s security through such a service that can effectively become a trojan horse. The good news is you don’t have to look very far to find a reputable VPN provider. We recommend WatchGuard VPN which not only legitimately secures your data but also offers ease-of-use features such as always-on connectivity, Windows pre-logon, seamless routing, and integrated personal firewall. Contact us to learn more about the security advantages available.