Is Hola Safe? Free VPN is Severe Security Risk and Could Expose You To Hackers, Cybersecurity Experts Warn

Millions of internet users rely on virtual private networks (VPN) to secure their web browsing activity and provide a degree of anonymity. But one piece of widely-used software is not only failing to do so—but may actually be a threat to users, cyber experts have warned.

Trend Micro, an antivirus and security research company based in Japan, concluded in a report on Tuesday that Israel-headquartered HolaVPN is "not a secure VPN." It discovered web traffic from users' computers was not encrypted and IP addresses are "regularly exposed."

Read more: Marriott hacked—Massive data leak hits 500 million customers

According to Hola, its VPN software now serves more than 175 million users. Free VPN software selling user data is not new—but Trend Micro believes HolaVPN is more egregious than most. The firm analysed how traffic was being shared with a sister service—known as Luminati.

Luminati is sold as a global peer-to-peer proxy network that lets customers collect data from the web, anywhere in the world. It is advertised for legitimate purposes like retail price comparisons or sales intelligence. HolaVPN, meanwhile, is described as the first p2p community-powered VPN.

The platforms are tight—both owned and operated by Hola Networks Ltd.

But Trend Micro warned: "Our findings reveal that a user's machine, once installed with the free HolaVPN, will become one of Luminati's exit nodes. If the user's machine happens to be part of a corporate network, its being an exit node may provide unknown third parties possible entry to company systems. HolaVPN could enable attackers to circumvent corporate firewalls and allow them to explore the internal network of a company for nefarious purposes."

These purposes could include enslaving computers in massive botnets—a collection of compromised devices—or allowing cybercriminals to perform "illegal or unauthorized" activities. Luminati, experts said, is known to sell bandwidth of user computers to third parties.

Alleged inks to fraud

The cybersecurity company said it was able to analyse web traffic that was routed through Luminati between March 2017 and May 2018. The eventual dataset, it noted, had contained over 100 million URLs that were sent through about 7,000 exit nodes (users' computers).

The report said: "The detailed breakdown of Luminati traffic shows that the vast majority of all Luminati traffic is likely related to fraud with mobile ads and traffic from mobile apps."

The HolaVPN software has been criticized by the security community for some time. In June, one website was raising awareness about its seemingly "sketchy" data logging policies.

"They log everything you do, they cooperate with surveillance alliances [and] there is no encryption," warned John Mason, an author at TheBestVPN review website at the time. "This is the least secure VPN I've ever seen. To top it all off, it opens you up to new threats."

"If you're doing anything that involves even a shred of privacy, look elsewhere," he added.

In 2015, it was suspected that a spam attack was aided by Luminati exit node traffic. Now, Trend Micro has linked the network to online scraping—the mass compiling of digital information.

"We found concrete evidence for massive scraping of online content," it stated. "This scraping often violates the terms and conditions of the target websites and may be illegal in some jurisdictions. We also have shown that hackers have found their way to Luminati."

The firm said scraped data included "subscription-based scientific magazines, private contact details of physicians and attorneys, data on inmates, court documents in the U.S. and China, credit information, and even the Interpol's most wanted list."

Experts said that they could "easily imagine" how the network could be exploited to create fake social media followers or bots.

"It is not hard to imagine that actors committing click fraud or targeted attackers who do reconnaissance of a network have a great interest in getting access to Luminati," they wrote. Trend Micro's antivirus now lists the VPN as unwanted software.