Bit by Bit is a weekly column focusing on technical advances each and every week across multiple spaces. My name is Adam Conway, and I've been covering tech and following the cutting-edge for a decade. If there's something you're interested in and would like to see covered, you can reach out to me at adam@xda-developers.com.
VPNs have their uses, but they have a number of problems that nefarious VPN marketing doesn't tell you. In "protecting" your traffic by forwarding it through a server, you actually have to trust their servers to handle your data effectively and safely. There are plenty of VPNs out there that have been audited and appear to be safe, but that doesn't mean something can't happen in the future. In one case that demonstrates exactly what can go wrong with VPNs, users were unwittingly providing hackers access to their internet connections for use in DDoS attacks, botnets, and more.
It all started with a VR game called Gorilla Tag
Adding latency to get an advantage with a free VPN
In a popular virtual reality game called Gorilla Tag, you move through the world by moving your arms around to climb trees and avoid other gamers. If you get caught by those other games, you join a horde, where you can then attempt to tag other players and make them a member of the horde, too.
However, a VPN that essentially adds additional latency was used by gamers so that the game's lag compensation would allow them to gain an advantage over opponents, and Big Mama was the VPN of choice for that. As it turns out, Big Mama was selling access to the internet connection of free users. I did some digging and found that Big Mama VPN freely advertises this in its terms of service, but it doesn't make it any better.
We provide paid services to our Commercial Users (“Commercial Users”) by allowing them to proxy their internet traffic via the internet connection of Free Users. These terms and conditions apply on a as is basis also for the Commercial User that purchase the use of the Products and Services from bigmama.network website, so any reference to the Websites or BigMama VPN shall be construed as to imply that those specific provisions also apply to all, unless otherwise specified.
Big Mama also says that devices are bound to a P2P network where similar services are offered to "Commercial Users" to access those connections of free users in it. All of this means that free users of Big Mama VPN are giving the company the right to sell access to the user's internet connection, and security research firm Trend Micro (according to Wired) has already linked an uptick in cyberattacks starting from early last year which appear to come from Meta-branded VR headsets.
Reportedly, Big Mama is being used on Samsung and Xiaomi smartphones the most, with VR headsets being the third most popular device the application is installed on. “If you’ve downloaded it, there’s a very high likelihood that your device is for sale in the marketplace for Big Mama,” Stephen Hilt, a senior threat researcher at Trend Micro told Wired.
Given that the terms of service don't even hide the fact that this is occurring, it's unclear if the practice will change. In the Big Mama Proxy Network, commercial users can pay as little as 40 cents for access to real connections belonging to free users, netting them access to their internet connection and allowing commercial users to then engage in malicious or illegal activity while pretending to be a real person located somewhere else.
VPNs aren't the security promise they claim to be
No matter what they claim to be
A VPN provider can run a server relatively cheaply in the cloud, and it's essentially a race to the bottom when it comes to finding a way to make money from them. That's why marketing budgets for those providers tend to be so ubiquitous, as there isn't a whole lot else to spend money on when it comes to the infrastructure, and all VPN companies essentially offer the same service at their core.
As a result, you'll see new tactics deployed by those companies in an effort to make you purchase their VPN and not a competitor's. At this stage, VPN companies start to copy each other, tacking on more and more supposed "security risks" that a VPN will protect you from. For example, many of these companies will advertise that their VPN will protect you when using public Wi-Fi, despite the fact that public Wi-Fi no longer poses a danger to its users like it once did a long time ago.
As for anonymizing its users, there's more to this than meets the eye. If your VPN provider keeps logs or has been forced by a court to monitor your traffic, your anonymity is gone. Your IP address is still very much traceable to your VPN provider, effectively transferring responsibility for your privacy from your ISP to the VPN provider. Even more concerningly, service providers have previously been forced to hand over data while being barred from publicly disclosing that they're doing so, making it almost impossible to know for sure if your VPN provider is doing the same.
There are some legitimate use cases where VPNs are genuinely good, like for accessing content online that might be blocked in your region. However, VPN companies are always trying to find ways to make money, and Big Mama VPN is an example of one where things have clearly gone too far. A VPN is only as secure as its provider, and in this case, the provider is actively selling access to the internet connections of its free clients. When choosing a VPN, there's a lot more at stake than just the speed it offers and the countries you can connect to.
You should especially be wary of free VPNs, as in that case, you're the product. Companies might sell your user data to partners, which completely negates any of the anonymity claims that they may make. Plus, as we've seen, worse can happen too. Choosing a VPN requires a lot of research, so pick wisely, as it's nearly never a good idea to use a free VPN.