December 8, 2020
Virtual Prying Network: Who Are We Saving Data From?
One of the things we learned quickly during the pandemic is the importance of VPN services.
Most of us have had some experience working remotely, and doing that without a VPN is often frowned upon. Such activity heightens security risks directed at the organization’s network while also endangering the personal data of employees who don’t have the corporate-level protection running on their devices.
While it is challenging to recreate the office environment from a security perspective, VPN products have been a popular solution to mitigate data loss and tampering risks. Most VPNs are user-friendly and have practical benefits for regular users, such as unlocking Netflix or accessing geo-blocked content on YouTube, so they are mostly welcomed to personal devices.
Apart from unlocking geo-restrictions, VPNs are used to secure user access and send data over encrypted channels. This fits perfectly with a corporate goal to protect sensitive data from man-in-the-middle attacks carried out by spies and cybercriminals.
But what if VPN service providers themselves take on the role of the offenders?
What if services that we choose to protect our privacy are acting like the people we want protection from in the first place? Unfortunately, this is not a rare precedent, and some service providers stick to some shady practices.
In this post, I will share my observations about Bitdefender VPN.
Initial Impressions When Dealing With Bitdefender VPN
To start us off, I will declare that my findings here are not ground-breaking or overly surprising, but they still deserve some attention.
This blog post is created to raise my audience’s awareness of VPN products in general, even though only Bitdefender is mentioned.
First of all, many of you are familiar with Bitdefender mostly as antivirus software, not a Virtual Private Network. Their VPN service is just a part of a broader security suite, and by design, it doesn’t work separately from the package.
That’s right. You can’t use the VPN without installing a Bitdefender antivirus first.
To scale back a little, let’s establish that Bitdefender’s history goes to the ‘90s, where key people of this Romanian company in Florin and Măriuca Talpeș quit working for the Romanian government’s computer research unit.
Only to find out that the VPN services section did not get quite enough coverage to satisfy the curiosity.
Brevity Is Not Always The Soul of Wit
Even though Bitdefender’s take on VPN is only two paragraphs long, there’s quite a lot to unwrap here:
“Applying the data minimization principle, we collect for this service only randomly generated or hashed user and device IDs, IP addresses and randomly generated tokens to establish VPN connection for the sole purpose of providing the VPN service. For this service, we use AnchorFree as a data processor who processes data on behalf of Bitdefender in accordance with Bitdefender's instructions and for the sole purpose of providing VPN services to users.”
Of course, the standout piece of information is the involvement of AnchorFree as a data processor for Bitdefender. AnchorFree processes encrypted IP addresses, session bandwidth, connection timestamps, aggregated website logs at the domain level, approximate geolocation, and device information.
Since AnchorFree is a data processor, it should only store information requested by Bitdefender.
The problem is, Bitdefender does not have a well-defined logging policy, so it’s complicated to say what information is retained. When we talk about VPNs, user data should not be handled by a third-party company.
Let’s go back in time one more time to understand why that’s a bad practice.
Anchor Free has been involved in a pretty big privacy scandal, as their product called Hotspot Shield VPN was accused of selling and sharing user data to advertisers. Just so you know, now Anchor Free goes by the name Pango, and perhaps this rebranding was initiated not only for cosmetic reasons.
Furthermore, in 2018, an independent security researcher Paulos Yibelo has disclosed a CVE-2018-6460 vulnerability that enabled unauthenticated requests that could reveal sensitive information about the active VPN service and its configuration details.
The bigger problem is not the existence of such a vulnerability but its failure to react to the initial disclosure.
Self-Inflicted Man-In-the-Middle Attack?
VPNs tend to track all sorts of data about users, but not all of them are as invasive and aggressive as Bitdefender.
After taking a minute to read about the company, I decided to finally try it out. I installed the Bitdefender VPN and went on to look at computer certificates, to discover that Bitdefender put itself among the trusted certification authorities on a computer.
In turn, this allows Bitdefender to decrypt all your traffic and inspect it. Defeats the purpose of a VPN, don’t you think?
It must be said that Bitdefender antivirus acts as a man-in-the-middle (MitM) proxy to inspect secure HTTPS connections (practice employed by a majority of antivirus vendors). Still, this behavior is unacceptable in the context of Virtual Private Networks, as it defeats their initial purpose - protect the privacy of its users.
In the past, Bitdefender products failed to check the revocation status of SSL certificates before replacing them with new ones, signed using a root certificate installed locally, to scan encrypted HTTPS traffic.
This is done for parental control, identity protection, to detect potential malware on HTTPS websites, but is it worth it?
Other Findings and Final Thoughts
Bitdefender VPN leaks your DNS information, making you vulnerable to the aforementioned man-in-the-middle attacks from malicious servers.
It also means that ISPs will be able to see and record the name of every website you visit while Bitdefender VPN is working. Bitdefender also won’t cut it for you if you intend to use the service to evade censorship. It does not work in Belarus, Russia, China, Iran, Iraq, UAE, Turkey, and Oman.
If we talk about some positives, Bitdefender didn’t have any WebRTC, IPv4, or IPv6 leaks, and it offers you some good speeds compared to other services. All thanks to Hotspot Shield’s proprietary Catapult Hydra protocol, which is also not untainted. But let’s be clear, connection speeds mean nothing if the core qualities we look for in VPNs are non-existent, which is certainly the case.
Of course, the typical end-user will never look for certificates or wonder where the data holder is located and what legislation it must follow. Still, it’s safe to assume that there are better alternatives to Bitdefender on the market.
I won’t namedrop any recommendations, you get enough of that from Youtube content creators, but I would certainly not recommend using Bitdefender VPN if you’re looking for a service to protect your privacy.