Written by Sean Lyngaas

The risk posed by foreign-made virtual private network (VPN) applications must be accounted for — even if government device users have avoided such apps — because adversaries are interested in exploiting the software, according to a senior Department of Homeland Security official.

“Open-source reporting indicates nation-state actors have demonstrated intent and capability to leverage VPN services and vulnerable users for malicious purposes,” Chris Krebs, director of DHS’s Cybersecurity and Infrastructure Security Agency (CISA), wrote in a May 22 letter to Sen. Ron Wyden, D-Ore., obtained by CyberScoop. There is no overarching U.S. policy preventing government mobile device users from downloading foreign VPN apps, according to Krebs.

“Even with the implementation of technical solutions, if a U.S. government employee downloaded a foreign VPN application originating from an adversary nation, foreign exploitation of that data would be somewhat or highly likely,” Krebs wrote. “This exploitation could lead to loss of data integrity and confidentiality of communications transmitted over the application.” Exposed phone data would likely include geolocation, contacts, and user history, he added.

There is no indication that foreign-made apps are widely used in the U.S. government, and there may not be any government-operated devices that have downloaded foreign VPN apps, Krebs wrote. But a lack of data leaves that question unanswered, and Krebs conceded that CISA had “limited visibility” on the usage. Moreover, it is unclear how widely deployed defensive measures such as sandboxing and application whitelisting are across government, according to Krebs.

The CISA director was replying to a February letter sent by Wyden and Sen. Marco Rubio, R-Fla., asking him for a security assessment of foreign VPN apps. The senators had expressed concern that some apps send a phone’s web-browsing data to servers in countries interested in targeting federal personnel. VPN providers promise to obfuscate the physical location of a web browser, but users are generally at the mercy of those companies’ decisions to collect and log data.

As evidence of the risk posed by foreign-made VPN apps, Krebs cited a November 2017 Russian law that allows the Russian government to access VPN providers based in Russia, and an advisory later that year from the Indian government warning that the Chinese government used popular Chinese mobile applications to collect user data.

“DHS has confirmed my fears: that using Chinese or Russian VPN services is essentially just taking your private data, wrapping it in a bow and then sending it directly to foreign spies in Beijing or Moscow,” Wyden told CyberScoop. “U.S government employees should not be using these apps, and I hope that DHS will take steps to prohibit their use on government-issued smartphones.”

CISA will continue to monitor the risk posed by foreign VPN apps and work with agencies to mitigate that risk through measures such as training and technical guidance, Krebs wrote.

You can read the full letter from Krebs to Wyden below.