The Hola VPN service exposes users to security, privacy and legal issues, security researchers have claimed
A group of security researchers has called for users to uninstall Hola, a widely used VPN service, due to ongoing security and privacy issues, alleging that the Israel-based company that offers the service operates it in a way comparable to a botnet, putting those taking part in the network at risk.
While Hola said it has made changes to the service, fixing security issues and clarifying the way its features are disclosed, the researchers, calling themselves Adios Hola, argued the issues they highlighted are fundamental to Hola’s architecture, meaning they can’t be fixed.
‘Harmful to the Internet’
“Hola is harmful to the Internet as a whole, and to its users in particular,” they wrote. “The architecture of Hola is most likely unfixable. The only reliable solution to the problem is to completely uninstall Hola, whether it is ‘fixed’ or not.”
Hola’s chief executive responded that while the company has “made some mistakes” it believes the researchers’ claims are without merit.
“There have been some terrible accusations against Hola which we feel are unjustified,” said chief executive Ofer Vilenski in a Monday blog post.
The free Hola service is used primarily to access websites that aren’t available in a user’s home country, such as certain BBC services or Netflix, by allowing a user to take advantage of an exit node in that country, or to ensure anonymity. The service runs on a peer-to-peer model, meaning users of the free version share their bandwidth with other users.
However, Hola also sells access to the free users’ bandwidth, via Luminati, its commercial arm, allowing Luminati users to take advantage of the Internet connections and IP addresses of what it claims are more than 47 million users. Such a business model is more commonly associated with criminal botnets, which sell bandwidth to those wishing to distribute spam or launch denial-of-service attacks.
While Hola said the bandwidth is intended for legitimate purposes, the Adios researchers said they had little difficulty acquiring a trial account, over which there appeared to be no oversight.
“It operates like a poorly secured botnet,” they wrote.
Luminati was, in fact, recently used to launch a denial-of-service attack through the Hola network against image board 8chan, and since that incident user comments have appeared on community sites such as Reddit and on the Google Play page for the Hola Android client warning users against taking part in the network.
In addition, the researchers warned that by using Hola’s free service, they are agreeing to offer the IP address of their own system for use as an exit node, meaning that the Internet traffic of other Hola users may appear to be originating from their system.
This could have “serious consequences”, they wrote – for instance, if someone were to carry out illegal activities via the service, such as posting child pornography, there is a risk that the action could appear to be originating from the user’s Internet address.
Operators of exit nodes on the Tor anonymisation network also run similar risks, with the difference that those users have made a deliberate choice to operate the exit node, while in Hola’s case every user of the free service is, by virtue of the way the service is constructed, potentially acting as an exit node.
“This is an unfixable problem, that Hola doesn’t disclose transparently,” the researchers wrote. “It’s how Hola is designed to work, and it cannot function without it.”
‘Unpatched’ security bugs
Hola said it has changed the way it discloses this issue, but the Adios researchers said the changes “still do not explain the legal consequences”.
The researchers also said they uncovered several security vulnerabilities in the Hola client that could allow a malicious user to install malicious code on a client system and take over that system. Hola said on Monday it had fixed the issues “within a few hours”, but the researchers said that the vulnerabilities remained, only being more difficult to detect.
“This kind of security issue can only happen if a developer is either grossly incompetent, or simply doesn’t care about the security of their users,” they wrote.
Hola said it plans to appoint a chief security officer, engage in an external security audit and launch a bug bounty programme.
Are you a security pro? Try our quiz!