I decided it would be prudent to recreate this experiment and see if my results match these. Turns out they do.

Here's what I did:

1) I verified that the akamai client ip header is actually the IP of the machine making the request to akamai. Confirmed.

2) I signed up NordVPN, connected to it, and checked the client ip header when making requests to disneyplus.com like in the link. Every request returns a different IP, so I wrote a little script to just make this request over and over and log it.

3) I run each IP through the unix 'host' command which uses the DNS system to return a valid reverse-dns hostname for the appropriate IP (when available. I'd guess about 5% didn't resolve to anything.

Here's a de-duped text file of about ~2 hours of continuously asking akamai what my IP is when making the disneyplus request:

github.com/jerwarren/nordvpn-i

That repo also has a very simple bash script that just runs over and over logging to a file so you can replicate it yourself.

This doesn't really tell us anything other than requests are getting to akamai through unexpected paths at just about every major ISP (and many smaller ones) across the US. How is this happening? I can't explain it.

Can you? Did I cock something up?

I don't know how reliable nmap's "OS fingerprinting" mechanism is (other than it reporting its own accuracy, of course) but a strikingly large percentage of those IPs all appear to be cable modems by the same manufacturer.

Can someone smarter than me take a look at this?

Alright, NordVPN basically admitted they're using residential IPs, but are claiming it's not secret, it's not malware, and they'll explain it to you if you sign an NDA.

twitter.com/MalwareJake/status

Hey, look. A new page on NordVPN explaining this. What a coincidence that it'd appear today...

nordvpn.com/blog/smartplay-exp

Yesterday someone told me that I'm an idiot, I don't understand DNS, the Akamai response was wrong, everyone knows NordVPN just uses LeaseWeb, I should go "back to Silly-con Valley with the rest of the techbros," that I'm looking for zebras in a horse field and that I'm blocked.

Now that we know what's going on, the part that's really interesting to me is that anyone using NordVPN has access to a massive list of guaranteed participants simply by asking Akamai what their current IP is.

With my list of IPs, I'm able to tell when each is online or offline.

NordVPN's sales pitch is to protect yourself from threats, but this (apparently voluntary) program of sharing your residential connection with them completely exposes you as having installed shady shit and thus making you a huge target to people who can absolutely see you.

When you sign up for a service just to help prove they're as shady as people assume and then they they ask for your input.

While trying to figure out how to cancel my account I discovered they sell routers preconfigured to use NordVPN.

That's sure how _I_ would go about doing what they're doing if I was evil...

@nyquildotorg wow didn't know they sold these 😱

yip, that's one way to do it while *twiddling moustache* and *stroking a white cat*

@nyquildotorg Blech. This whole NordVPN debacle makes want to shower.

Nice investigation and write-up!

@bgardner I didn't write the original medium piece, but in the process of debunking it discovered it's totally true

@nyquildotorg Sure, that was clear; maybe I should have said "peer review" as opposed to "investigation", but still - solid work.

@nyquildotorg
"specific application for their devices"

The fact that they won't name it is worrying me.

@jospanner I mean, the obvious connection to make (but without real data to back it up) is their Oxylabs / Tesoro stuff, which absolutely has found its way secretly into applications, which makes it "malware."

If they put it into an application and tell people it's there, then it's no longer malware, even though it is doing exactly the same thing.

@nyquildotorg This does feel like the sort of thing that is easy to defuse if there really isn't something funny going on. The vagueness isn't inspiring a lot of confidence.

OCR Output (chars: 849) 

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!