Do VPNs protect you from hackers? Experts answer

Using a VPN (Virtual Private Network) can enhance our online privacy and security in many ways. By encrypting our online traffic and hiding our IP addresses, VPNs make us more anonymous online. But they also offer some additional protections against being hacked.

Cyber attacks can occur in a number of different ways. Your data could be targeted by hackers while it’s in transit, for instance, while a message is being sent from your computer to a work server. Alternatively, your data could be compromised by hackers directly on your device, through malware installed on your software. And the VPN servers which route our online activities are other important targets for hackers in gaining access to and exploiting user data.

As we will see, a VPN is really only effective in protecting your data while it is in transit. It cannot necessarily protect your device itself, nor can it stop data leaks from the VPN’s databases where user metadata is centrally logged. Moreover, a VPN cannot prevent the exploitation of any sensitive information you share online, for instance, with a social media account. Through new security architectures, innovative decentralized VPNs (dVPNs) and mixnet VPNs like NymVPN can help to mitigate this risk of data centralization. This is done by using a decentralized network with no central point of control and failure, and with the help of innovative routing designs.

To learn more about how VPNs work, check out our recent breakdown of how they can and can’t protect our online privacy.

VPN hacking prevention

While most users turn to VPNs for online privacy and anonymity, they can also help defend against certain kinds of hacking. Here are some of the cyber threats that a VPN can help prevent:

IP address targeting

One of the primary targets of cyber attacks is your IP address. Short for “Internet Protocol,” an IP address is a unique number which identifies the position of a host (your device) in relation to a network, allowing your device to connect with an Internet Service Provider (ISP). While your IP address on its own does not reveal your full identity (such as your name and address), hackers often target IP addresses in conjunction with more specific information from ISPs to divulge user identities, browsing habits, and even their approximate physical locations.

By masking your real IP address and replacing it with their own, a VPN helps protect against attacks that target your IP address directly. This can prevent hackers from easily exploiting vulnerabilities specific to you and your device.

Man-in-the-Middle (MitM) attacks

A MitM attack occurs when an outside adversary intercepts the online communication between two parties, mostly easily by way of an unsecured Wi-Fi network. This could be to listen in on a private conversation, to hijack a session by impersonating one user, to steal outgoing data, or to alter financial records in transit. Whatever the objective, a MitM attacker secretly positions themselves in the data flow between two entities that believe they are communicating with one another.

MitM attacks are significantly curtailed by the modern encryption and authentication protocols, like HTTPS, that securely connect users with online services, such as e-stores where credit card information might be shared. In combination with this default encryption paradigm, a VPN’s specific “tunneling” protocol provides end-to-end encryption and IP address obfuscation for users. If MiM attackers are able to intercept your data at any point, it would have to be decrypted to be readable, something which requires sophisticated technology and resources.

It’s important to keep in mind that a MitM attack might still be possible, particularly if the destination does not provide HTTPS encryption. In this case, even with a VPN on, your data will no longer have encryption once it leaves the exit VPN server. VPNs and websites also use different encryption protocols, some of which are easier to decrypt than others.

Packet sniffing

Packet sniffing is the ability of external parties to capture user data as it passes through a network. Packet sniffers are used by network administrators themselves in monitoring and troubleshooting network traffic. However, hackers also use them to steal unencrypted and sensitive data such as passwords or financial records. Packet sniffing can occur on both wired and wireless networks.

As with MitM attacks, HTTPS and VPN tunneling together can thwart packet sniffers by making sure data is encrypted from end-to-end. Sensitive information, like passwords or financial records, would be unreadable to external snooping. VPNs add the additional feature of rerouting and masking your IP address in the traffic between your device and the destination, making your online traffic much more difficult to trace back to you.

Wi-Fi eavesdropping

Wi-Fi eavesdropping is similar to packet sniffing and MitM, but it is unique to wireless networks, particularly un- or poorly encrypted ones. When we connect to an open wi-Fi network at a cafe which does not require a password, for example, eavesdroppers might be able to see what sites we are connected to. Wi-Fi eavesdroppers can monitor these networks and exploit any sensitive data we make available there. Alternatively, hackers can set up dummy open Wi-Fi networks which people will try to access. In both cases, this is a kind of MitM attack, since the hacker intercepts your data between your device and the recipient.

Like with MitM and packing sniffing, a VPN provides encryption and a certain degree of anonymity before your data can pass before the hacker listening in.

Hacking that a VPN cannot prevent

Here are some cyber attacks and security threats that a VPN cannot prevent. Notice that these attacks largely involve attackers having or gaining access to your device, system, or hardware, or to the servers where you have accounts or data. If your bank’s own databases are breached, a VPN certainly can’t protect your data.

Malware and viruses

If you download or interact with malware-infected files or websites, a VPN cannot prevent these malicious programs from infecting your device.

Phishing attacks

VPNs cannot protect you from phishing attempts where hackers, through fake emails or websites, trick you into revealing personal information, such as passwords or credit card numbers.

Man-in-the-Device attacks

If a hacker has already compromised your device with spyware or a keylogger, a VPN cannot protect the data on your device from being accessed or stolen.

Brute force and password attacks

If your passwords are weak or have been exposed elsewhere, hackers can potentially gain access to your accounts regardless of whether you’re using a VPN.

Local network attacks

Although a VPN can protect your data from snoops on the same network, it cannot stop someone who has direct access to your computer or local network from carrying out an attack.

Zero-day exploits

These are attacks that target newly discovered vulnerabilities before they have been patched. A VPN cannot prevent an attacker from exploiting such vulnerabilities in software or hardware you use.

Session hijacking

While a VPN encrypts your data in transit, if an attacker manages to hijack your session after you’ve established a connection to a website (for instance, by stealing your cookies), a VPN cannot protect you from such an attack.

Social engineering attacks

These attacks manipulate individuals into performing actions or divulging confidential information. A VPN does not protect against the consequences of such manipulative tactics.

Mixnet VPN protections

In addition to what kinds of hacking a VPN technology can and cannot prevent, we should also consider the different types of VPNs available to us. In response to the security vulnerabilities of traditional VPNs, decentralized models (dVPNs) and novel ones built on mixnets offer even more enhanced security and anonymity online.

Centralized data is a central target

VPN encryption, in whatever scope, cannot prevent hackers from targeting the VPN’s own databases which potentially contain the records of millions of users’ metadata. Most traditional VPN services are centralized physical infrastructures. They either own their own servers or rent them, often from the same providers. This means that they are built upon central points of failure. These central servers can be the targets of sophisticated cyber attacks for the simple reason that they contain the personal data of millions of users in one spot. Even if a VPN does not keep metadata logs, which is highly unlikely, they still contain financial records which could link you to them.

dVPNs and mixnet VPNs like NymVPN step in to solve this problem for users by offering an entirely different infrastructure. A mixnet is a distributed overlay network composed of hundreds or even thousands of independent and unlinkable servers (run privately by individuals contributing to the network). A mixnet VPN functions in the same fundamental way as a traditional VPN: encrypting and tunneling your data, and masking your IP address. However, instead of your data going through one server, it gets mixed up with other people’s traffic and sent through many unlinkable servers, with multiple hops between them, before arriving at its destination. This makes data breaches virtually impossible because your data is never located in one spot.

Traffic analysis resistance

Hackers are often employed by governments or agencies with advanced technical resources for analyzing the traffic of users. The decentralized architecture of mixnets makes this sophisticated traffic analysis much harder to accomplish, as opposed to targeting all the data available on a VPN’s single server. A mixnet’s decentralized routing architecture and default multi-hops makes it extremely difficult to trace the route of your traffic. To make matters more complicated, your data is mixed up randomly with other traffic as it passes through one of many nodes. To further complicate traffic analysis, dummy packets are used to increase network volume.

Advanced encryption

A key difference between traditional VPNs and a mixnet VPN is the type and quality of encryption used. Traditional VPNs typically use one form and layer of encryption between the user’s device and the VPN exit node, where it is unencrypted before going to its (hopefully encrypted) destination. A mixnet VPN enhances user anonymity through a multi-layered (or “onion” like) encryption around your data. Each layer corresponds with a node which will reroute your data. As it passes through that node, the specific or outer layer of encryption is peeled away, revealing where to send your data next. Revealing the full route of your data would require an adversary to control a large enough number of nodes, or both the entry and exit nodes, which would be exceedingly difficult.

Conclusion

Traditional VPNs can help block certain basic hacking attempts, and make more sophisticated ones more difficult. However, this is only when your data is in transit between your device and the VPN’s server. A VPN cannot protect your own device itself, and VPN data centralization poses a serious security risk for users. Central servers are luring targets for cyber attacks which can compromise not just your personal information, but the data and histories of millions of other users.

In the end, VPN technology is not a one-all solution for cyber security threats. Using a VPN is a significant step towards enhancing your internet security, but it’s important to complement it with other security measures. This includes using strong and unique passwords, keeping software up to date, being cautious about the files and links you click on, and using reputable antivirus software.

Before choosing one of the many large and “reputable” VPNs on the market, it’s important to consider whether going with a centralized VPN is worth the risks. If we are truly concerned about our privacy online, dVPNs and mixnet VPNs like NymVPN can provide enhanced privacy for users.