NordVPN, a company reeling from careless security practices revealed as part of a security breach (one that they covered up for 6 months until they were finally outed for it), had promised to do better.

From the NordVPN blog:

This is about explaining what we’re going to do to take our security to the next level and make sure nothing like that ever happens again…. We’ve learned our lesson and we want to prove it to you with actions, not just words…. What we can promise is that we have taken this incident to heart and will do everything we can to improve and to win back your trust.

That surely sounds nice, but is it true?

What I’m about to tell you is distressing, and reveals the true nature of NordVPN’s business practices.

Tesonet and Oxylabs

See the problem is, NordVPN is linked closely with a Lithuanian data mining company called Tesonet. NordVPN is said to be one of Tesonet’s projects, Oxylabs.io is another one.

So what’s the big deal? Oxylabs.io advertises on its website “32M+ residential proxies…100% anonymous proxies from all over the globe with zero IP blocking.” Think of “residential proxies” this way: 1.) Oxylabs installs some malware on to a user’s device, unknown to the user, by bundling it with other software that the user downloads. 2.)This malware enables Oxylabs to sell off your bandwidth, your computing power, and your IP address to third parties, who will route their internet traffic through your device.

Does that mean your device can be used by a third party to access child porn or hack into a bank? Absolutely! Another VPN provider named Hola was called out for reselling users’ bandwidth in this way through their B2B service (Luminati), and incidentally Hola is suing Tesonet for copying Hola’s technology.

NordVPN has gone out of their way to downplay their ties to Oxylabs and Tesonet. After all, they couldn’t possibly be incorporating any part of Oxylabs technology into NordVPN’s apps…

What does all of this have to do with Disney+?

Disney+ is a streaming service that launched on November 12, 2019. That’s more than 2 weeks after the NordVPN security breach reports surfaced, and it’s after NordVPN had promised to take actions to win back users’ trust.

Disney+ is currently available in select countries. If I live in the US I can subscribe and watch with no need for a VPN. But if I live in the UK I would need to proxy the stream through a remote US server using a service like NordVPN. It’s often the case that VPN users will find that services like Disney+ are blocked on many servers, presumably because the content provider is able to discover the VPN’s IP addresses and restrict access to those IPs. Sure enough, I tried 2 other VPN providers that I’m familiar with, and neither could unblock Disney+.

Then I decided to give NordVPN a try, and poof, it worked like a charm. How was this possible? Residential IPs was my guess. These would serve the purpose to confuse Disney+ and make them believe that the traffic was not coming from a VPN server housed in a data center. Simple obfuscation.

So how did NordVPN do it? How could I find out?

My first step was to see which CDN serves disneyplus.com content. According to Cloudflare, “a content delivery network (CDN) refers to a geographically distributed group of servers which work together to provide fast delivery of Internet content.” A web tool revealed that www.disneyplus.com uses Akamai.

That’s perfect, because I know that Akamai provides an additional tool to help webmasters debug any issues they may be encountering with the CDN. In technical jargon it’s called a Pragma header, and using a command in Linux, Akamai allows you to observe the actual client IP address that is sending and receiving traffic.

So it’s really quite straightforward. I launched my Linux VM, connected to a US NordVPN server and ran a simple command to get the IP address.

NordVPN is sending traffic to Disney+ through 174.134.22.78. Next I looked up the IP.

OK so Charter Communications aka Spectrum. Yes it’s a residential ISP, but they also provide services to large companies. It’s not crazy to think that NordVPN could have bought an uplink from them and connected it in their data center. Nothing nefarious here on the surface.

OK, what else can I find? I decided to re-run the command in Linux…30 more times.

Residential IPs jackpot

Below are the IPs I got back:

OK now here we go…

All the most common US ISPs are there… AT&T, Comcast, Verizon, CenturyLink. IPs from Charter Communications in their Midwest, Texas, Pacwest and Northeast regions. ISPs I’ve never heard of before… who the heck is Delcom? Turns out they are serving some rural communities in Texas. Did NordVPN buy servers or connectivity from them?

So any theories on how NordVPN is getting all this terrific, unblockable, residential connectivity? Could they be buying it from Hola/Luminati, the very company that is suing them? Doubtful. The most likely conclusion is that they are using their own Oxylabs to do it, the very service that NordVPN claimed that they had nothing to do with.

As a NordVPN user, what does all of this mean for you? Are you less secure because your traffic is being routed through the PC of some random farmer in Texas? Not really. The traffic you send to disneyplus.com is encrypted and can’t be observed by the farmer (or his cows).

Hey, farmers matter too…

That’s really the key issue. The unsuspecting Texan downloaded a GPS navigation app or a financial calculator app, and secretly embedded in the software is code that enables the Oxylabs residential proxy network to run from his device. Did our farmer friend download that app knowing that he’d be letting NordVPN freeload on his internet connection, passing users’ Disney+ traffic through his device? Hardly. He likely has never heard of NordVPN, and perhaps hasn’t heard of Disney+ either. What if NordVPN is passing other types of traffic through his device, including something much more nefarious than the Lion King movie? Our friend would be none the wiser.

NordVPN had promised to do better, but this seems like a step back. They promised they had nothing to do with Oxylabs, but now that assertion seems to be false. They violate unsuspecting internet users, and even trample over their own customers’ privacy. Yes, why would you send all your customer email addresses to a 3rd party marketing company, NordVPN?

If you want to be taken seriously as a privacy and security company, why don’t you start acting like one? Farmers in Texas (and most of your customers) are depending on you to clean up your act.