Bulletproof privacy in one click
Discover the world's #1 privacy solution
Coming soon
Coming soon
Coming soon
During the pandemic, a lot of vulnerable people were depending on VPN services to get around their governments’ biased reporting on the impact of Covid 19. Some countries were hiding millions of deaths and insisting everything was normal. Only by using a service that would circumvent local blocks and censorship could people access the real science and statistics behind the disease that paralyzed the world.
Hong Kong was among the most vulnerable populations, as far as misinformation. They were under the thumb of China’s reporting policies, which were cracking down extra hard on any implication that the virus had origins on the mainland, manifesting first in the Hubei province in or around the city of Wuhan.
Any realistic statistics or estimates, any way to gauge the danger or the situation in the outside world, was out of reach for the people of Hong Kong unless they could safely access outside information. So they turned to VPNs.
What happened next was an expose on seven of Hong Kong’s most popular VPN services that shook the entire industry. In this article, we’ll talk about the hacker VPN logs that exposed this massive fraud, and how actual lives were put in danger by reckless, lying VPN providers.
UFO VPN in Hong Kong claimed to be a ‘zero log’ provider of virtual private networks. White hat hacker Bob Diachenko, the head of Comparitech’s security research division, examined these claims firsthand as part of an independent probe.
To Bob’s horror, he found UFO’s claims to not only be false, but he found their security to be almost nonexistent. An entire array of user logs, access records, and authentication attempts were available on a web page that required no password. All you needed to do was browse to the right URL, and the logs were freely available for the taking.
Comparitech reported the breach to UFO immediately, giving them all the details they would need to plug the hole and correct any accidental logging that might be taking place. But instead of implementing a fix, they tore open an even larger hole. The cache of user information exposed on July 20 was simply hosted on a different IP address, and the contents were even more expansive than the earlier leak. With no other choice, Diachenko and his team informed the world that users could not trust UFO VPN to provide secure, private networking services.
That same month, Noam Rotem's team at VPNmentor was doing their own investigation of Hong Kong-based free VPN services. They discovered that a total of seven of these VPN providers were not only lying about their logs but had them available for open examination. Usernames, IP addresses, passwords, Paypal account information, Bitcoin payments… all just sitting there in plain text, unencrypted files.
In total, 1.2TB of logs were exposed to the public. But to be much more specific: 1.2TB of logs were exposed to the Chinese government.
Whether these free VPN services had been set up as a trap by government forces, or whether it was sheer incompetence, these lying ‘no log’ VPN companies put hundreds of thousands of lives in danger. People who just wanted privacy from the Chinese government were now put under the microscope, their activities laid bare. And tens of millions of others from around the world had their personal and financial information put on public display.
Ultimately, the responsibility falls on the shoulders of Dreamfii HK Limited, the holding company that controls these and many other free VPN services in the area. Whether they’re complicit, incompetent, or simply don’t care is still unknown.
It started with just one white hat hacker, VPN logs that couldn’t be explained, and a quiet word to the company in question so that they could fix their issues. But it ended up being a multi-company screw-up of epic proportions. A cabal of lying VPN corporations - all under common ownership - that either accidentally or purposefully sold out their users to the Chinese government.
The biggest problem with VPNs that claim they keep ‘absolutely no logs’ is that you can’t prove a negative. If logging isn’t taking place, there’s nothing to find. But if they do exist, they could be kept onsite, offsite, in the Cloud, or on backup media… there are simply too many possibilities to check comprehensively. It’s only when a serious screw-up, a government seizure of their server, or a hack takes place that we find out the truth.
Even auditing isn’t a guarantee. A VPN service could easily call an auditor, turn off their logging capabilities for a few days, and then turn them back on after the consultants have left the building.
Because you can’t prove a negative, you simply have to take the VPN provider at their word. So the question becomes: Who do you trust?
VPNs are, and always have been, designed as a security measure. Not privacy… security.
Their origins are in the ability to connect to a corporate network remotely. They open an encrypted tunnel between point A and point B, and the remote user can access the internal business network.
In order to be an effective privacy measure, a VPN would need to do three things: Disguise your IP address, block harmful tracking cookies, and obfuscate your hardware and browser fingerprint.
VPNs only do one of those three things. And as we saw in the story above, if they secretly keep logs, then even IP address masking is a useless measure. Without a doubt, browser fingerprinting is the number one privacy threat of the 2020s. Third-party cookies might be dying a slow death, but the rise of identifying people through their unique combination of hardware and software has just begun.
It’s high time that people looked at VPNs strictly as security and utility services. Privacy software needs to cover many layers of the modern networking model that a VPN simply can’t handle. Let’s treat these functions separately and stop relying on the wrong tool for the job.
Will is a former Silicon Valley sysadmin and award-winning non-functional tester. After 20+ years in tech, he decided to share his experience with the world as a writer. His recent work involves documenting government hacking methods while probing the current state of privacy and security on the Internet.
Chapter 14: IoT Hacks
Dive into the unsettling world of government-controlled GPS tracking!
Trash Talk: How your garbage can be exploited by hackers, law enforcement, and government agencies
It’s time to uncover how government surveillance gets personal.
Discover the world's #1 privacy solution
Coming soon
Coming soon
Coming soon