Loading player
According to a survey published by the technology company NordVPN in December 2023, in Italy about a quarter of people who browse the Internet use a VPN service. The acronym stands for Virtual Private Network, or “virtual private network”, and is essentially software that is used to create a secure channel for data transmission over the Internet. In short, they form a digital, encrypted tunnel between the device from which the user connects (a computer, a tablet, a smartphone) and a remote server, while masking the IP address from which the user connects. Companies tend to use this technology to allow their employees who connect remotely – because they are traveling, or because they work from home – to connect to the company network.
VPNs used by everyday users are based on the same technology, but are used for completely different purposes. In particular, they are one of the most immediate and well-known methods to circumvent any geographical limitations, and therefore for example to watch films present in the catalog of a streaming platform only in another country, or to visit US sites that are not normally accessible from Europe because they do not comply with community regulations on the processing of personal data.
But for years the idea has been consolidated – often supported by the same companies that develop VPNs – that using them helps to further protect one’s online privacy and increase the security of one’s devices: the NordVPN survey says that 37 percent of users VPN Italians claim to use them mainly for this reason.
The reality, however, is more complex: in the case of corporate VPNs, in recent years several experts and researchers have identified hundreds of vulnerabilities (i.e. programming defects and weaknesses that make it easier to compromise the security of a software) even in some of the most popular VPN services. Already in 2020, the US National Security Agency (NSA) had circulated a communication in which it reminded everyone – but especially companies – that VPNs can often prove particularly vulnerable to cyber attacks. And even when it comes to use by individuals, various experts fear that users are overly confident in the level of protection that VPNs can offer.
The first VPN protocols were adopted in the early 2000s with the main objective of allowing employees of large companies to connect to the internal network even remotely, while maintaining a certain standard of security and confidentiality of information. Previously, to prevent unauthorized people from accessing the internal network, companies rented private data transport networks, separate from the public Internet.
These networks were built on dedicated internet lines and isolated from the wider public internet, but required a lot of money to maintain: VPNs, on the other hand, allowed employees to access their company’s internal network quite securely while using a public internet . Only years later would the technology begin to be used by individuals outside of companies for different reasons (such as, precisely, circumventing limits linked to the location of one’s IP address). Even today, however, VPNs designed for companies should have higher security standards than those used by ordinary users.
Nonetheless, in recent years the corporate VPN sector has been affected quite often by news relating to vulnerabilities and attacks. A few days ago Cisco Talos, a group of researchers and analysts that deals with cybersecurity and intelligence within the US multinational Cisco Systems, reported that over the last month there has been a massive increase in cyber attacks against various services Popular corporate VPNs, including Fortinet, Check Point, and SonicWall. Furthermore, between 2020 and 2024, the number of cyber vulnerabilities found in VPN services increased by 875 percent, according to estimates. At least two hundred have been exploited by criminal or malicious actors to attack users or the companies they work for.
There are many reasons, starting from a huge increase in the attention of hackers, criminal groups and state entities towards VPNs, which in the worst case scenario if violated can allow attackers to access the entire network of a company. This attention has also increased since 2020 also because a greater number of people have begun to work remotely, multiplying the potential attack surface.
«We must keep in mind that we are talking about very complex software which by definition is exposed on the internet. They are often the only thing a company displays publicly. But this also means that the smallest vulnerability, as it is exposed to the internet, becomes critical”, explains Roberto Clapis, a cybersecurity expert who, among other things, has long worked for Google. «As soon as a vulnerability becomes known, the first thing attackers do is to use it across all the servers that probably use that software, to try to enter companies’ internal networks. And once they’re inside, the whole security model falls away.”
– Read also: Cyber attacks can be bad for your health
Added to this are already existing problems, starting from the fact that many VPNs are based on protocols that are now rather dated, which include cryptographic standards that are outdated and therefore less solid and better known by attackers. Many companies then choose their VPN in a rather superficial way, limiting themselves to using those offered within larger digital packages purchased by the company.
This becomes a problem especially if companies convince themselves that using a VPN is sufficient to secure their system, without worrying about establishing additional layers of security, for example by activating multi-factor authentication when employees they log in.
«Companies often think from the idea that software must be safe because everyone uses it. But it is not uncommon for a company that produces software, aware of the fact that it has an excellent positioning in the market and will therefore easily sell its product, not invest much in improving or securing it”, says Clapis. “The ironic thing is that VPNs are potentially simple software, and if they kept that simplicity they would probably have fewer vulnerabilities.”
As regards the private use of VPNs, the considerations to be made are a little different. «Until about ten years ago the main reason why they were used outside the company was linked to data protection. The online standard was plaintext communication, and only a few cautious pieces of software encrypted the information. In that context, using a VPN actually made the act of connecting to the internet safer”, explains Professor Stefano Zanero, of the Polytechnic University of Milan. By “encrypting” we mean the act of converting data transmitted from one computer to another into a coded language, so that anyone who tries to intercept them finds them illegible or, indeed, encrypted.
«In recent years, however, practically all the software and applications we use have begun to encrypt communications, and this type of use has lost a bit of meaning: there are still communications online that are not encrypted, but they are very few» , explains Zanero.
There therefore remain two main uses that individuals make of VPNs: “pretending” to connect from a country other than the one you are in, and for some reason hiding the IP address from which you are connecting. «However, both of these functions are based on a gigantic compromise», says Zanero. «The VPN service provider is what in jargon is called a “trusted element”, that is, it is someone in whose hands we are putting our connection. If the reason why I am using it is that I hope that my privacy will be protected, giving all my traffic in the hands of a specific company is not necessarily a good idea: I have to be sure that the company is very honest, trust the that the underlying cryptographic mechanisms are secure and robust. And, if I’m using a VPN in the hope of accessing content that I legally couldn’t see, such as copyrighted content, whether the company is more or less inclined to provide customer data to the authorities.”
Much more often, however, users choose their VPN based on very different criteria, such as whether it is free or the interface is easy to understand and navigate: «so, if I have to sell you my VPN, it is clear that I will not focus on on the security and robustness of the system, but on its usability”, adds Zanero.
– Read also: Computer antiviruses are increasingly obsolete
