Hola VPN still riddled with security holes, researchers claim
UPDATE 4.6.2015 10.46GMT: Clarifications by Vectra.
Hola's VPN network has been described as "an ideal platform" for executing targeted cyberattacks by security researchers looking into Hola's questionable business practices.
Last week, the virtual private network and geolocation unblocker service Hola acknowledged that the bandwidth of individuals using the free version of the software was being sold to cover operational costs. Used by approximately 46 million users worldwide, Hola is available in both free and premium versions -- and the free option, which acts as a P2P network, pools inactive PC resources from millions of systems to power Hola's premium Luminati VPN service.
The admission was made following the public complaints of 8chan message board operator Fredrick Brennan, who alleges users of the Hola network have unwittingly been fueling a botnet used to conduct multiple attacks on his website.
Each user of the free service becomes an endpoint for the network, and therein lies the issue -- if security flaws exist in Hola's network, this could then in theory be exploited by attackers who use the botnet for their own ends.Calling Hola "the most unethical VPN I have ever seen," Brennan says the Luminati botnet consists of over nine million exit nodes.
Following these reports, Hola updated the company's FAQ to clear up the process. Within the FAQ, the Israel-based firm says valuable resources are never taken, and a user's IP is only used as a proxy if the device is fully idle.
However, continual criticism of the business model has led Hola founder Ofer Vilenski to pen an open letter to Hola users. Vilenski writes:
"There have been some terrible accusations against Hola which we feel are unjustified. We innovated quickly, but it looks like Steve Jobs was right. We made some mistakes, and now we're going to fix them, fast."
Hola is a P2P network and free users are required to share their resources to use the IP disguising service -- but this information is now being included more prominently on the firm's website and during installation procedures. Vilenski also emphasized that the network should not be considered a botnet-for-hire; instead, Luminati is meant to be used for legitimate commercial purposes.
However, the executive admitted that a "spammer" was able to use the network last week by posing as a company and so new monitoring solutions will be put in place to minimize the risk of future abuse.
In addition, Hola plans to hire a Chief Security Officer (CSO) in the coming weeks -- something that arguably should have been done some time ago, considering how many users Hola caters for.
Hola also admitted that two vulnerabilities were discovered in the past week which may have led to the remote exploit of some devices which use Hola. According to the advisory, the flaws could not only lead to arbitrary code execution, but privilege escalation -- and design flaws could allow Hola users to be tracked, which goes against what the service ultimately stands for.
"The hackers who identified these issues did their job, and we did our job by fixing them," Vilenski says. "In fact, we fixed both vulnerabilities within a few hours of them being published and pushed an update to all our community."
The vulnerabilities were found by researchers at Adios Hola. While the VPN service claims the issues have been fixed, the researchers disagree. In an update, the team said:
"The vulnerabilities are *still* there, they just broke our vulnerability checker and exploit demonstration. Not only that; there weren't two vulnerabilities, there were six.
Hola also claims that "[vulnerabilities happen] to everyone. As we have pointed out from the start, the security issues with Hola are of such a magnitude that it cannot be attributed to 'oversight'; rather, it's straight-out negligence. They are not comparable to the others mentioned -- they are much worse."
The PR train crash does not end there. A new analysis released by cybersecurity firm Vectra is likely to place even more strain on Hola, as not only do the team insist the network acts like a botnet, but also imply that some of Luminati's design features suggest dark purposes, and "contains a variety of features that make it an ideal platform for executing targeted cyber attacks."
The team says the 8chan forum is not likely the first time Hola has been used for malicious activity. During Vectra's investigation, the firm discovered five different malware samples which contain the Hola protocol.
"Unsurprisingly, this means that bad guys had realized the potential of Hola before the recent flurry of public reports by the good guys," Vectra says.
In addition, Vectra says the network contains a "variety of capabilities that can enable a targeted, human-driven cyber attack on the network in which a Hola user's machine resides," including Hola software's ability to download additional software without user consent and a built-in console which remains active even when the user is not browsing the web.
This console's existence represents a risk to users as it could allow hackers to communicate with a Hola node even when the service is not active.
According to Vectra, this paves the way for problems including process killing, file downloads which bypass antivirus checks, executing download files and opening sockets to IP addresses and devices, among other security concerns. The team concludes:
"These capabilities enable a competent attacker to accomplish almost anything. This shifts the discussion away from a leaky and unscrupulous anonymity network, and instead forces us to acknowledge the possibility that an attacker could easily use Hola as a platform to launch a targeted attack within any network containing the Hola software."
Hola says the company is currently undergoing both an internal and external security review and audit, and will soon launch a bug bounty program to ferry out additional security problems.
ZDNet has reached out to Hola and will update if we hear back.
UPDATE 10.46GMT: Following communications between Hola and Vectra researchers, the latter has clarified their position in an update, clarifying that Hola was used to enable a botnet and is itself, not a botnet.
Read on: In the world of security