Dedicated vs Virtual
Dedicated Bare Metal Servers
- Physically more secure — accessing the memory or storage requires physical access to the machine.
- All resources (memory, CPU, network) are dedicated to blackVPN.
- Very easy (for the provider or law enforcement) to create a snapshot of the memory and storage at any time.
- All resources (memory, CPU, network) are shared with other unknown users.
- Susceptible to cache attacks and hypervisor exploits — other users of the server could gain access to sensitive data.
Dedicated Servers Are Physically More Secure
All of our VPN servers are running on bare metal dedicated hardware. This means it is a physical machine where the memory, hard drive, processing power and network access are all 100% dedicated to blackVPN.
Our VPN servers are located in ultra secure data centers and only someone with physical access to the server would be able to control it or read all of its data, provided they have the necessary equipment (e.g. a hot-pluggable PCI card that could read the host’s memory).
Virtual/Cloud Servers Are More Insecure
Most other VPN providers are using Virtual/Cloud servers for their VPN servers which is highly insecure. Virtual/Cloud servers share the resources of a single computer among the other clients of the cloud provider.
The provider offering the Virtual/Cloud server to a VPN service can easily access the memory and storage of the VPN server and can even decrypt the data without the knowledge of the VPN provider.
Without even needing physical access to the server they can make a snapshot of the VPN server at any time, which dumps the whole RAM content to disk. This gives them access to all data currently in memory, including the decryption key of the virtual disk. When they control the VM hypervisor, they also control all the computations the virtual machines make. It’s not easy to do, but it is theoretically possible to use this to break any cryptography which happens on it.
Without any special equipment the hosting provider (or a law enforcement agency, government agency, spy agency) has access to everything — the machines network communications, files, the active memory while it is running (including the keys needed to read the encrypted partitions), and anything else they want. This is true as long as the virtual machine is being used, even if everything is encrypted.
Law enforcement or government agencies could also simply make a copy of the VPN server and then just set it up elsewhere.
Virtual Machine Cache Attacks
Virtual machines are also vulnerable to a cache attack which allows attackers to access the VPN servers secret RSA keys and other important cryptographic keys. This isn’t just a possibility that we need to trust hosting providers not to exploit — anyone with a Virtual/Cloud server that is on the same physical machine as the VPN server can snoop these items.
Hacking The Hypervisor
Virtual/Cloud servers have a particular weakness that dedicated servers do not: the hypervisor.
The hypervisor handles creating and managing each of the virtual machines on the server. Security weaknesses can allow an attacker to bypass the hypervisor completely and provide an attacker access to all the resources available to the hypervisor. Indirectly, this gives the attacker full control over the targeted machine.
Breaking hypervisor isolation and exploiting neighbouring virtual machines is a prominent goal of cyber criminals. At the Black Hat USA 2015 and DEF CON 23 conferences, a group of Security researchers demonstrated that some hypervisors are vulnerable to attacks through system firmware. These attacks led to successful installation of a rootkit in the system firmware (such as BIOS), privilege escalation to the hypervisor privileges, and exposure of hypervisor memory contents.
Services that require maximum security — like your online banking service — would never use Virtual/Cloud servers for processing sensitive information. So why do most VPN services who claim to safeguard your privacy use them?