Hola rocked by botnet accusations

By Zoe Kleinman
Technology reporter, BBC News

  • Published
Hola on an iPadImage source, Hola
Image caption,
People generally use virtual private networks to access legitimate web content that might not be available in their home country

Virtual private network Hola has downplayed concerns that its 47 million users could become part of a botnet.

A botnet is a network of hijacked computers that can be used for criminal activity without the knowledge of their owners.

Hola says it has always been open about sending other data via users' devices when they are not in use.

The Israeli company offers a free service but on the condition it can use customers' bandwidth "securely".

Mr Vilenski said he had wrongly assumed that describing the network as "peer-to-peer" had made that clear.

It also operates a commercial network called Luminati, which can be used to "route data through any of our millions of IPs [computer addresses] that are located in every city around the world", according to its website.

The website goes on to say the Luminati network consists of "personal PCs, laptops and mobile devices of participating users".

They are the private devices of Hola users, it has been claimed.

"The concern with Hola is that it appears to operate like a botnet, and one that is potentially insecure at that," said cybersecurity expert Prof Alan Woodward, from Surrey University.

"There is mounting anecdotal evidence that the network is being used as a real botnet.

"I haven't seen that in practice but the way in which the service can use your machine appears to have the potential to do something like that."

People often use virtual private networks to access internet content that is unavailable in their home country - such as video streaming services Netflix and the BBC iPlayer - but most VPNs are not free.

Ofer Vilenski said in his blog post that Hola generated revenue by offering the VPN for "legitimate commercial purposes" only.

"We have a record of the real identification and traffic of the Luminati users, such that if a crime is committed, we can report this to the authorities, and thus the criminal is immediately identified," he wrote.

Last week, the founder of message board 8Chan said the site had suffered a distributed denial of service (DDOS) attack - when a website is overwhelmed by false requests from computers - that could be traced back to the Luminati network.

Mr Vilenski accepted that a spammer had "passed through our filters" to use the service but added that the account had been terminated and "necessary measures" put in place.

He said that the firm would shortly begin a "bug bounty programme" offering rewards for people who identified security weaknesses in Hola and Luminati products.

Prior to the blog post hundreds of people had already posted on community site Reddit, calling for users to uninstall the network over fears that their devices could unintentionally be used for criminal activity, and Android users have been leaving warning messages in the review section of the app on Google's Play Store.

In the FAQ section on its website, updated on 29 May, Hola explains how its "peer-to-peer" model works.

"When your device is not in use, other packets of information from other people may be routed through your device," it says.

"Hola does this securely, not allowing any access to any of your information. Your device is used only as a router."

It also says that users of its premium service, for a monthly fee of $4.99 (£2.28), are not part of the network.

Related Internet Links

The BBC is not responsible for the content of external sites.