holavpnheader-min
19 Dec 2018 12:16

Antivirus Researchers Take Hola VPN to Task Over Non-Existent Encryption and IP Leaks

The scathing report, published by Trend Micro, criticizes Hola VPN for not acting as a VPN at all, brands it as 'unsafe'

Callum Tennent
By Callum TennentSite Editor

Researchers from Trend Micro, a cybersecurity and antivirus firm, have lambasted HolaVPN for its total lack of encryption, branding it a “dangerous tool for internet users”.

A new 32-page report goes to great length to detail exactly why VPN users should steer clear of the HolaVPN service. Rather than act as a ‘true’ VPN, masking the user’s identity and encrypting their traffic, it instead merely serves as a ‘community powered peer-to-peer proxy network’.

Those signed up to the HolaVPN series agree to share their connection and idle bandwidth with other users. This means that HolaVPN does no operate any physical servers, instead relying upon its massive user base to provide exit nodes for one another.

This approach means that at no point is any user traffic encrypted, nor are original IP addresses protected – a point emphasized by the Trend Micro report, and something HolaVPN’s 175 million users may be unaware of.

Luminati, Hola VPN’s sibling company was also subject to heavy scrutiny. Luminati treats HolaVPNs users as exit nodes, selling them to companies to use as a proxy service.

The Trend Micro report claims that Luminati is being used for more sinister purposes, though. It says: “The study revealed that more than 85 percent of the traffic in the dataset was directed to mobile advertisements and other mobile-related domains and programs—an indication that cybercriminals could use the service for large-scale click fraud schemes,”

“If the user’s machine happens to be part of a corporate network, its being an exit node may provide unknown third parties possible entry to company systems. HolaVPN could enable attackers to circumvent corporate firewalls and allow them to explore the internal network of a company for nefarious purposes.”

HolaVPN and Luminati issued a shared statement in response: “The Trend Micro report is a sensational, irresponsible report, falsely suggesting that all VPN users want to hide their identity.

“Hola is a free unblocker which is used for seeing any content from any location. It is not a privacy VPN and does not purport to be so,”

Just how to distinguish between a ‘privacy VPN’ and an ‘unblocker VPN’ is unclear, although the usage of the term VPN usually implies a product capable of both functions.

Luminati CEO Or Lenchner claims there are “extensive errors throughout” the report, demanding it be taken down.

“Only customers that are fully vetted by Luminati as legitimate, compliant customers are allowed on Luminati’s residential network,” he adds in an email. “If a customer breaches Luminati’s terms and conditions, that customer is immediately suspended and Luminati is explicit that it will cooperate with law enforcement to provide the information required to prosecute.

“Luminati is a valuable service used by Fortune 500 customers and thousands of enterprises for price comparison, travel, and other legitimate uses which ultimately are the foundations of a free market. We are appalled that Trend Micro would publish such a tarnishing report without fact checking with its subjects first.”

Trend Micro is standing by its report, though. Users of the Trend Micro Internet Security antivirus program will now find that Hola VPN is flagged as ‘potentially malicious’.

The true nature of Hola VPN’s operations first came to light in 2015, and is a topic we touched upon in our review of the product. At Top10VPN.com we would never recommend a product that not only leaves you personally exposed, but actually potentially makes you less safe online. Regardless of Luminati’s true intentions or the motivations of its clients, Hola VPN is a product that goes against our founding principles, and we believe it should be avoided at all costs.