back to article NordVPN rapped by ad watchdog over insecure public Wi-Fi claims

NordVPN has been told to stop misleading world+dog with claims in telly ads that public Wi-Fi is inherently insecure. Britons will be familiar with NordVPN's recent ad spot, which featured some credulous loon in a railway carriage handing out his credit card, phone, passwords and so on to random strangers. The Advertising …

  1. Amias

    Train WiFi was actually that bad for a while

    The first iteration of WiFi on trains in the UK was actually that bad , it had no encryption and you could just use wireshark everyones connections.

    1. TRT Silver badge

      Re: Train WiFi was actually that bad for a while

      Before now I have been sitting on a train whilst some bozo decides to hand out a whole range of personal information via telephone banking. I think they were opening an account or something. Spelling their surname, speaking their whole name, giving their address, setting up a security password, date of birth... I mean, utter lunacy. At least my bank ran me through some basic security checks before that - Are you in your own home? Is there anyone else present in the room? Are your windows open? Can you be overheard? Are you sure that the information you are about to give me over the phone cannot be heard by anyone else, known to you or unknown?

      So really... Nord... I mean, VPN is a good idea, and I know that you're not wanting to bog your adverts down with technical stuff... but I'm connecting to YOUR VPN, and that's going to be over public WiFi possibly, and so the technologies that make THAT secure... how can I be any more sure that that's more secure than the technologies that my bank are using to encrypt and secure the connection with me? I'm still connecting, and VPN is really only a tunnel - it's only ONE straw out of a bunch of straws.

      1. billdehaan

        Re: Train WiFi was actually that bad for a while

        At least my bank ran me through some basic security checks

        Someone posted a link the other day to their bank's security question. The security code was "your home phone number".

        Apparently, some banks believe it is difficult to impossible to... look up a phone number.

        Having worked at two banks in my life, I can attest that there are people to whom that would be an breakable code. Not to all, however. But then, given the number of banking cards that have been forgotten by customers on top of ATMs, complete with the PIN code written on the back of the card in a magic marker, I've stopped being incredulous about these things.

        1. JohnFen Silver badge

          Re: Train WiFi was actually that bad for a while

          Security questions are notoriously poor security, as they are always things that are easy and reliable for people to remember -- thus are things that can be discovered by others with a modicum of research.

          For years, I've been recommending to people that if they have to set answers to security questions, don't actually answer the question asked. Use the question as code for something unrelated. "What's your favorite color?", for instance, can be reinterpreted and answered as "What is every character of your home address" or something.

          1. JohnFen Silver badge

            Re: Train WiFi was actually that bad for a while

            ""What is every character of your home address""

            Ugh. I meant "What is every other character of your home address".

            1. Allan George Dyer Silver badge
              Boffin

              Re: Train WiFi was actually that bad for a while

              @JohnFen - "Ugh. I meant "What is every other character of your home address"."

              "17001", or alternatively, "2...", the same as yours.

          2. TRT Silver badge

            Re: Train WiFi was actually that bad for a while

            He who would be taken through securi...tee,

            Must answer me these questions three,

            Ere the other side he see.

            What... is your name?

            What... is your quest?

            What... is your favourite colour?

            1. Magani
              Linux

              Re: Train WiFi was actually that bad for a while

              Surely you mean :-

              What... is the airspeed velocity of an unladen swallow?

              1. Aristotles slow and dimwitted horse Silver badge

                Re: Train WiFi was actually that bad for a while

                European or African?

          3. Pirate Dave
            Pirate

            Re: Train WiFi was actually that bad for a while

            "Security questions are notoriously poor security, as they are always things that are easy and reliable for people to remember"

            Or they are things that are from so long ago that they can't actually be remembered, so the answers are made up and then forgotten. "Where did your parents first meet?" "What was the name of your first pet?" "Who was your favorite actor as a child?" Dumb stuff that not all of us have bothered to waste storage space remembering for 50 years.

    2. Matt Ryan

      Re: Train WiFi was actually that bad for a while

      Current train WiFi on LNER does something strange with HTTPS certificates - Google Photos always complains about this.

      1. Anonymous Coward
        Anonymous Coward

        Re: Train WiFi was actually that bad for a while

        Possibly uses DPI to analyses traffic for blocking or throttling certain content?

        1. Mystery Machine

          Re: Train WiFi was actually that bad for a while

          They state that they block streaming and potentially other large / voluminous data transfers (photo sync would be obvious). I've never used it for much and generally go via 3G/4G as it's generally better on a busy service but will have a gander next time I'm on the train.

          Like many wifi sites your persistent TLS stuff like Outlook will throw cert errors when you're at the captive portal page because of how DNS works for captive portals but once through the portal it's all rosy.

      2. Dan 55 Silver badge

        Re: Train WiFi was actually that bad for a while

        Thus proving NordVPN's point. I doubt the ASA would know what MITM is if you drew them a picture.

  2. Roj Blake Silver badge

    And to think:

    All they need to do to sell loads of VPNs is say "want to avoid the government's age verification thing?"

    1. Anonymous Coward
      Anonymous Coward

      Re: And to think:

      Given the ASA's other rulings, that would be likely resulted in Nord being told to stop until the government legislation comes into force.

    2. Flywheel Silver badge
      Joke

      Re: And to think:

      You mean I'll have to get on a train to watch porn? Oh dear ...

  3. adam payne Silver badge

    Use public WiFi errrr...no thanks.

    1. big_D Silver badge

      I always double check the settings, before I join. If in any doubt, I'll pass.

      The last couple of times I was in a hotel, I either got "email" speeds (sub 100Kbps) or no security at all. In the end, I just activated the hotspot on my phone and used that.

      At the holiday home we rented, I logged on to the wifi, it was secured, did a quick IP scan and checked the certificates on some known sites, before deciding it was safe.

      Most people won't be able to know whether the wifi access point they are connecting to is safe.

      If in doubt, don't use it or use a VPN.

      1. Anonymous Coward Silver badge
        Big Brother

        What makes you think that the VPN provider is any safer than the WiFi provider? It's still a plain connection when it emanates from the VPN, so they get to inspect everything you're doing.

        (Obviously doesn't apply if you're running a VPN to your own network, but that's not the subject of the article)

        1. Charlie Clark Silver badge

          A lot of public wifis do collect and analyse the data (URLs, ip addresses, etc.) of users. Using a VPN will stop them doing this and it is a good idea to use one in hotels, cafés, airports, etc.. As "free" wifi networks often need to hijack your DNS in order to get you sign in, you have Biggest problem with many VPNs is that it is very difficult to be sure they're not collecting your data. Five eyes, etc. generally means they operate outside US jurisdiction.

          1. Aristotles slow and dimwitted horse Silver badge

            Yes, there will risks with everything, so somewhere you will need to draw a line in the sand, or stick your flag in the ground. But doing proper research around your VPN provider, rather that just signing up for the cheapest or even "free-est" will help with this.

            Just for reference - I'm with AirVPN as it was created by journalists, to protect journalists and therefore they have a guarantee that they do not log or record anything. Do I believe them? Yes. Can I prove it? No.

            As I said, there are risks with everything.

      2. Anonymous Coward
        Anonymous Coward

        I always double check the settings, before I join. If in any doubt, I'll pass.

        So you can tell the genuine WiFi from the pineapple WiFi someone may be running nearby that can be setup to use the same access code? Many won't be able to. Public WiFi is inherently unsafe.

        https://www.wifipineapple.com/

      3. Anonymous Coward
        Anonymous Coward

        Have to say that I don't bother with WiFi on a train as I reckon my phone's own 4G connection will be faster (and probably more secure).Indeed, I rarely hook into public WiFi nowadays, anyway, as the cost of mobile data has come down so much (I pay just under £17pm for unlimited calls and 18Gb of data - from one of the major networks with good UK and EU coverage). I have a VPN contract available but that's mainly used when abroad to watch BBC iPlayer...

  4. Blockchain commentard Silver badge

    "did not mean the site was legitimate, nor was it any proof that the site had been security-hardened against intrusion from hackers"

    Accessing it via a VPN does not magically make it safe.

    1. DJ Smiley

      Exactly!

      Their arguement that shared wifi (with a shared passcode handed out to everyone and his dog without wifi isolation (and even with it) IS insecure. But this has nothing to do with https and secure sites.

      if I can connect to wifi, and then connect to another device on the same wifi, it doesn't matter if they're going to a https site or not, if they're running outdated windows/osx/whatever then I can get in.

    2. Keith Langmead

      Yeah, they're either talking about the site that you're ultimately connecting to, eg the bank, social media etc, in which case doing it over a VPN doesn't magically help you if the site is dodgy, or I guess they could be talking about the portal site for accessing the public wifi in the first place, but again a VPN still wouldn't help with that since you'd need to connect to the wifi before starting the VPN.

      Would have loved to see the ASA respond simply by saying "That's nice, but what the hell has that to do with what we're discussing here right now?!?" :)

    3. Aristotles slow and dimwitted horse Silver badge

      True. But NOTHING will make it 100% safe. Using a decent VPN does however reduce the risk by a few magnitudes.

  5. Anonymous Coward
    Anonymous Coward

    Public wifi

    "Because the ad created the impression that users were at significant risk from data theft, when that was not the case, we concluded it was misleading"

    The problem with this is the definition of public wifi - while the more professional operators will have protections in-place to ensure DHCP/DNS are provided correctly, peer-to-peer communication is disabled and network infrastructure is protected from unauthorized eavesdropping, cafes and other smaller providers are unlikely to meet these standards.

    Wifi spoofing, DNS/DHCP/MITM attacks, transparent HTTPS proxies, switch port mirroring and in-line taps can all lead to potential security issues when using untrusted networks. Combined with the re-use of account details, simply checking a shopping order with your coffee CAN provide your e-mail/mobile/address/password from which further attacks can be launched. Your bank details might be safe (possibly), but you can still experience a lot of pain with other account compromises.

    So the question is "is CAN equivalent to significant"? Viewed based on wifi coverage, probably not as the major providers dominate - viewed based on being a large enough risk to have an effect, I'm not so sure.

    1. druck Silver badge

      Re: Public wifi

      The problem with this is the definition of public wifi - while the more professional operators will have protections in-place to ensure

      But do you know if you are connected to one of these more professional operators, or someone spoofing the same SSID and authentication mechanism?

    2. Anonymous Coward
      Anonymous Coward

      Re: Public wifi

      Any network that you don't control should be considered hostile. That said, a VPN is not a magic talisman that will make a hostile network safe.

      I've come across public WiFi hot spots that have tried very hard to block VPN connections. One hotel chain I've stayed in seems to aggressively throttle VPN traffic; the data rate becomes almost unusably slow when connected, even though this VPN performs very well from other public and private networks. Disconnect from the VPN and speeds increase dramatically.

      Perhaps there are legitimate, innocent reasons why an operator would attempt to block VPN connections or throttle them into oblivion to discourage their use. But since user traffic data is worth cash money, suspect that has more to do with it.

      1. druck Silver badge
        Boffin

        Re: Public wifi

        If you have problems with VPN blocking or throttling, set up your personal VPN to work on port 443/tcp. This isn't normally restricted, and most APs can't tell its not HTTPS traffic.

      2. Anonymous Coward
        Anonymous Coward

        Re: Public wifi

        Wonder if the hotel have a business wifi package they will sell you that doesn't throttle your VPN connection back to the office?

        Could be one reason they're doing it.

  6. Vulture@C64

    Another business which is very much behind the times. How can a country move forward with technology when you have such a lack of understanding in organisations supposed to be protecting the public.

    So now we have fibre broadband which isn't fibre and Joe's cafe Wi-Fi which should be regarded as being secure. We're stuffed !

    1. Doctor Syntax Silver badge

      "organisations supposed to be protecting the public"

      The ASA is the advertising industry's self-policing (stop laughing at the back) body. Who do you think their paymasters suppose them to be protecting.

  7. notamole

    The problem with this logic is that the internet isn't inherently insecure (it's not inherently secure either). If you're careful with your behaviour you'll never be infected with a virus, but anti-virus software is still advertised as if you're under constant attack. Sure, some wi-fi hotspots are set up properly, but you would only know that if you asked the operator and had the technical wherewithal to know what to ask, and they had the technical wherewithal to answer truthfully.

    1. notamole

      Maybe I should clarify: an internet-connected computer is not inherently insecure (or secure).

    2. JohnFen Silver badge

      Viruses are only one of a whole range of security threats. When I think WiFi (whether open or not), the first threat that comes to mind isn't viruses -- it's a MITM attack that allows others who are in the broadcast range of the hotspot to insert themselves into my datastream. Even a properly set up WiFi AP does not provide good enough protection against this sort of thing.

      What really opened my eyes about this is when I did pentesting of my own network. I had a properly set up and encrypted WiFi AP, and was still able MITM any device connected to it without having to know the WPA2 credentials.

      That's when I started using a VPN with all WiFi APs.

      1. notamole

        My comparison wasn't of VPNs and viruses, it was the advertising or VPNs and anti-virus. Anti-virus is sold as if the internet is inherently unsafe due to viruses, so why aren't their adverts being raked over the coals?

        My position is that neither should be reprimanded. Neither public wi-fi nor viruses are an inherent threat, they're a threat caused by human behaviour, but the vast majority of the public don't know the proper behaviour to protect themselves, so the claim that those systems are a threat is true for them even if it's only because they don't know better.

        In the case of viruses, don't click strange links or download things you didn't explicitly ask for. In the case of public wi-fi, check that it is properly secured before connecting to it.

  8. PeeKay

    Handing out security information voluntarily.

    The article quotes the following:

    Disagreeing, the ASA acknowledged in a public ruling that while "such data threats could exist", it "considered the overwhelming impression created by the ad was that public networks were inherently insecure and that access to them was akin to handing out security information voluntarily."

    Does the ASA know the difference between privacy and security based information? It appears not.

  9. JohnFen Silver badge

    In all fairness

    WiFi actually is inherently insecure -- it is not a huge problem to break WPA2. WPA3 may (or may not) fix this, but until that's ubiquitous it's best to treat all WiFi connections as if they were in the clear. I do not use WiFi anywhere (including in my own home) without using a VPN. (I use my own VPN server for this, not a commercial one).

    1. Anonymous Coward
      Anonymous Coward

      Re: In all fairness

      > I do not use WiFi anywhere (including in my own home) without using a VPN.

      The purpose of a VPN is to connect two separate private networks using only a public network in between, while preserving the private nature of traffic between them. Hence the "VP" in VPN. What most casual users today call a VPN is not doing this; instead, it's simply a tunnel connecting a host to the public Internet in a way that masks the point of origin as seen by remote peers. This is useful if you want to obscure the origin of your traffic but has no bearing on the privacy of its contents. It is equivalent to using a fake return address on your outgoing letters and dropping them in a random postbox in some town up the road a ways. The amount of effort required to observe the *contents* of your letter (or your packets) doesn't change; someone who possesses it can still steam open your envelope and read the letter, or view the contents of your packets as they traverse their networks.

      If you're using a protocol that doesn't provide privacy and/or authentication, you're still vulnerable to interception and/or impersonation just as you are without the "VPN", because once it comes out of the endpoint and enters the public Internet it is going to traverse numerous other links that provide no particular security. Exactly as it would if you just sent it out over the local wifi network in the first place. So this is nothing but false security, which is exactly why NordVPN lost this case. If you are really concerned about interception, you need something (either a true VPN or a properly designed protocol such as TLS) that does end-to-end encryption. That will protect your traffic from interception and, if properly configured, impersonation regardless of the networks it traverses. If it's not end-to-end, it's not safe. Of course, as pointed out above, it still won't prevent the site you connect to from storing your data at rest insecurely or deliberately selling or giving it away. As it was before the Internet, the way to keep a secret is not to tell anyone.

      1. JohnFen Silver badge

        Re: In all fairness

        "This is useful if you want to obscure the origin of your traffic but has no bearing on the privacy of its contents."

        Except that the traffic flowing through the VPN is encrypted, so it has a great deal of bearing on the privacy of the data flow. And when you use one, as I do, that you run yourself, then you know that your VPN provider is trustworthy because your VPN provider is yourself.

        1. TRT Silver badge

          Re: In all fairness

          It's only as private as the next network connection, though. I mean, I could VPN everything back to my home, but then I'm relying on VerminMedia to be secure, at least as far as their gateway, and from that gateway to the next, and so on and so on.

          Hence why end-to-end encryption is the "snuggest" fitting jacket in this layered security model.

          1. JohnFen Silver badge

            Re: In all fairness

            "It's only as private as the next network connection, though."

            True (assuming by "next network connection" you mean the next one after the end of the VPN). But I was talking specifically about making WiFi connections secure in the face of the inadequacy of WPA2. A VPN (even a commercial one) does that very well. I was not addressing wider network security issues.

            1. Kernel Silver badge

              Re: In all fairness

              "But I was talking specifically about making WiFi connections secure in the face of the inadequacy of WPA2. "

              I'm with JohnFen on this - if I'm using WiFi anywhere, especially public WiFi, the connection is via VPN to my own VPN server at home. Having once seen how effective a DNS cache poisoning app on an Android tablet was at intercepting traffic from individual devices on a public WiFi network, I'm going to side with NordVPN on this one. Everything, and I mean everything, was displayed in clear text on the intercepting tablet.

              True, my traffic could then be intercepted between my home and destination, but intercepting the fibre connection under my desk is probably beyond the skill set of the average 'l33t h@k0r'.

              1. TRT Silver badge

                Re: In all fairness

                Good points. Does Nord reference it’s VPN endpoint as a numeric IP address or does it require a DNS lookup?

              2. Anonymous Coward
                Anonymous Coward

                Re: In all fairness

                > True, my traffic could then be intercepted between my home and destination, but intercepting the fibre connection under my desk is probably beyond the skill set of the average 'l33t h@k0r'.

                It's certainly easier to intercept packets over wifi than to tap into a fibre link. However, it's also very easy to intercept packets at a router you control, either because you've compromised it or because you're an ISP (or "authorised person" at that ISP) or a state actor. If your packets are not encrypted end to end, you must assume anyone can see their contents. Defects in WPA/WPA2/WEP/WPA3/... are merely one of many ways attackers can accomplish that.

                There is nothing wrong in principle with eliminating one possible way they can do so, but unless you eliminate all of them, or at least all of them you consider practical given your threat assessment, you're just deceiving yourself. The cheapest, simplest, and most reliable way to address all common and practical threats is to use end to end encryption, which a tunnel to another public endpoint emphatically is not. If you can't use end to end encryption, the only sensible course of action is to avoid transmitting anything confidential, regardless of other steps you may have taken to shrink your attack surface.

                1. JohnFen Silver badge

                  Re: In all fairness

                  "unless you eliminate all of them, or at least all of them you consider practical given your threat assessment, you're just deceiving yourself."

                  The first law of security is "if it can be accessed legally, it can be accessed illegally". If you are ever considering yourself "secure" in an absolute sense, you're deceiving yourself, period.

                  That doesn't mean that it's pointless to engage in any security that isn't 100% comprehensive. All steps taken are of value. The more comprehensive your defenses are, the better, of course -- but I don't think it's a good idea to imply that even a meager defense isn't worth doing.

                  WiFi is one of the weakest links in a network, because there are relatively low-skill attacks readily available for it. As such, it seems worth at least securing that better even if you don't do anything else.

        2. Joe W

          Re: In all fairness

          Yes. Iff you are talking about a VPN. As metioned above, the VPN connects your machine (securely-ish) to a virtual network. It is now considered to be e.g. pat of a company network, and thus enable you to access some machines that are inside the company's network but not facing the internet.

          So: In the NordVPN case your machine is now part of NordVPN's network. All traffic leaving that network is going over the internet, and the security of that traffic does depend on the protocol / encryption used by the target website / service. If you do a telnet or unencrypted pop3 via NordVPN (or any VPN) to a machine that is outside of that private network, the password and username will be transmitted in the clear as soon as the traffic leaves the private network.

          The OP argued that since you do not aim accessing NordVPN hosted machines, it is not really a VPN - or rather: it makes this a VPN in name only, since security of the traffic depends on the protocol used by the connection to your target machine / service.

          I agree: DNS poisoning or traffic sniffing (and content, if not using end-to-end encryption) is much easier without using such a "VPN"-service, but good luck sniffing out the data transmitted over e.g. an ssh connection to a known target machine (or imap-ttls, or whatever).

    2. big_D Silver badge

      Re: In all fairness

      WPA3 isn't publicly released and security researchers have spanked the standards body's arse, pointing out some serious shortcomings in WPA3 on the first wave of hardware and sending them back to the drawingboard.

      1. JohnFen Silver badge

        Re: In all fairness

        Yes. That was why I said WPA3 may or may not make this better. Also, even if WPA3 ends up having no obvious weaknesses on release, the day will inevitably come when it is compromised as well.

        The essential problem with WiFi is the very thing that makes WiFi convenient: it involves broadcasting over radio, eliminating (or drastically reducing) the need to gain physical access to a place in order to attack it.

  10. steviebuk Silver badge

    They aren't completely wrong

    I stayed at a big chain hotel beginning of last year in London. Pullman on Euston Road to be exact, the one next to the British Library.

    Sat there bored in my room so decided might as well take a sniff of the WIFI traffic. It's a big chain, will be pointless though as it will be secure but I was bored.

    Erm....what? You haven't turned WIFI isolation on!?! So I can now see all the other devices in the area. You haven't even secured the machines downstairs in the lobby you let people use. You haven't secured the, what appeared to be old control information server, for the boiler or heating system somewhere that according to the log hadn't been rebooted for a years. You haven't secured one of your iis servers. Just click Network in Windows showed devices that were visible! Jesus!

    To give them a small, very tiny bit of credit. I reported it anonymously while there via Twitter and they started to lock it down while I was still scanning. Maybe I should of mentioned it openly to them, may have got a discount for the room :)

    At a lodge I stay at a couple of Christmas' ago their whole WIFI was shockingly poor. The speeds were poor, you could see and connect to the printer in their office which was only a stones through away and no I never printed anything to it despite really wanting to. No WIFI isolation and you could even get to the router and if my memory is write, sign in.

    Then we have Eurostar that I was on just before Christmas last year. Again, no WIFI isolation so you could see all other devices connected.

    So NordVPN weren't far off.

    1. Joe W

      Re: They aren't completely wrong

      Well... and how does using NordVPN make an issue like WiFi separation go away? You will need to hook up your machine to the public network to then access the VPN.

      1. Charlie Clark Silver badge

        Re: They aren't completely wrong

        Once your device is connected to the VPN it should be insulated from local network traffic.

        I don't think NordVPN is perfect but with governments and advertisers planning ever more invasive measures I'm beginning to regard the ads as a kind of public information campaign. Just like eventually all websites switched to https (okay, not all have), if everyone starts running a VPN then certain parties will have to work a little bit harder to snoop on everyone all the time.

      2. steviebuk Silver badge

        Re: They aren't completely wrong

        Because Nord's software has the option to tick "Invisibility on the LAN".

  11. Kevin McMurtrie Silver badge

    Why does it matter?

    None of the internet is safe, especially anyone making dubious claims while selling VPN. That's what encryption and certificates were invented for. Just don't click through the warning when the certificate isn't valid.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019