- CISA warned that personal VPNs can increase a user’s “attack surface”
- The advice is part of a wider warning about sophisticated spyware
- Dodgy VPNs, especially free apps, can collect data or inject malware
America’s top cybersecurity agency has issued a stark warning in its latest letter: “Don’t use a personal VPN.”
The advice comes from the Cybersecurity and Infrastructure Security Agency (CISA), which has warned iPhone and Android users that many commercial VPN services can do more harm than good. According to CISA, “personal VPNs simply shift residual risks from the Internet service provider (ISP) to the VPN provider, often increasing the attack surface.”
The warning suggests that while a VPN can protect your activity from your ISP, you’re relying on the VPN provider, many of which “have questionable security and privacy policies.” This is a significant statement from a federal agency that suggests a fundamental risk in how many commercial VPNs operate.
The warning is part of a wider effort to combat the rise of advanced commercial spyware. Security agencies are increasingly concerned about malicious actors using sophisticated tools to infiltrate smartphones, and a rogue VPN app is an ideal Trojan horse.
As a recent Google security alert also highlighted, threat actors are adept at distributing malicious apps disguised as legitimate VPN services to compromise user security and steal everything from browsing history to financial credentials.
These warnings are particularly relevant given the rise in VPN use to bypass geo-restrictions or in response to new regulatory measures such as age verification laws. But as CISA’s advice suggests, the rush for a quick privacy fix can lead users to download questionable apps that are ineffective at best and outright spyware at worst.
How to choose a secure and private VPN
CISA’s blanket warning suggests that all VPNs are untrustworthy, but the crux of the problem lies with questionable providers.
The best VPN services are transparent, audited and committed to user privacy. To stay safe, you should look for a provider with a strict and independently verified no-logs policy that ensures they don’t collect or store data about your online activities.
In addition, robust encryption protocols such as OpenVPN and WireGuard form the backbone of secure VPN connections, ensuring that your online traffic remains private and protected from eavesdropping. These encryption standards use advanced cryptographic techniques to protect your data from hackers, ISPs, and government surveillance, making it extremely difficult for third parties to decipher your communications.
When choosing a VPN, it is also recommended to look for additional security-oriented features that strengthen your online protection.
One such option is a kill switch, which automatically blocks your internet access if the VPN connection drops unexpectedly. This prevents your IP address and sensitive data from being exposed in plain text, a common risk if protections are not in place.
Other valuable features may include DNS leak protection, multi-hop connections that route traffic through multiple servers, and perfect forward secrecy (PFS), which changes encryption keys frequently to minimize data exposure.
For those seeking the most private VPNs, the key is to choose a reputable provider that prioritizes user security above all else. TechRadar’s top-rated VPN, NordVPN, for example, offers a number of advanced features and is currently running an exclusive discount for TechRadar readers, making it an excellent choice for those looking to strengthen their online security without falling prey to the pitfalls CISA has warned about.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
