Why you need a VPN for Kodi

Kodi allows users to stream video from a huge range of sources. Some of those sources are legal and some are not, and that distinction is not always clear to users. Likewise, while most add-ons are safe, some are malicious or might become malicious down the road.

For these reasons, we strongly recommend using a VPN when watching Kodi. A VPN, or Virtual Private Network, encrypts your streams and other data and routes them through a server in a location of the user’s choosing. By doing so, you can prevent your internet service provider and other third parties from spying on what you watch on Kodi, and prevent a range of potential attacks from malicious Kodi addons and streaming sources.

How to use a VPN with Kodi

Here’s how to use a VPN with Kodi:

  • Choose a suitable VPN provider we recommend IPVanish.
  • Download the VPN app, making sure to choose the right version for your device
  • Load the VPN app, connect to the nearest server (for best speed).
  • Startup Kodi. That’s it you’re connected!
  • It’s as simple as that! You may, however, want to enable the kill switch, which will halt all traffic should the VPN connection drop, if your VPN app supports it.

If you have a device that doesn’t support VPNs, you may need to set the VPN up on a wifi router. You can do this either by using a laptop to set up a virtual router, or configuring the VPN on a physical router. You may need to flash new firmware onto your physical router if it doesn’t support VPNs. We recommend Tomato or DD-WRT. ExpressVPN sells pre-configured routers with VPNs already set up.

Kodi is completely open-source and legal software, and you are free to download and install it on whatever device you like. Any of the officially sanctioned add-ons should be fine to use without breaking any laws.

That being said, we realize that many Kodi users want more than what’s offered in the stock version of Kodi. Third-party add-ons often stream content from sources not sanctioned by the copyright holder. In many cases, these streams might be illegal depending on your country’s laws or regulations. The add-ons might source their content from torrents, pirated IPTV streams, and websites hosting content without a content license.

United Kingdom

In the UK, vendors selling devices pre-loaded with third-party add-ons have been fined large amounts for selling “piracy boxes” that falsely claimed to be legal. Additionally, the chair of UK’s National Trading Standards stated that anyone selling or operating a Kodi box with pirated content is in breach of copyright laws. There have been no cases of the police tracking down Kodi users for watching content on Exodus or Sanctuary, but there’s a first time for everything.

Your internet service provider might forward you threatening settlement letters from copyright trolls or choke your bandwidth. Those who insist on using these add-ons often utilize VPNs to hide their activity.

US

Like most countries, downloading copyrighted content without paying for it or without permission is illegal. However, there is no precedent of anyone getting into trouble for streaming pirated video. It’s unclear if the temporary files downloaded during the streaming process fall under the same legal umbrella as, say, torrenting entire video files onto one’s hard drive.

ISPs make their own rules, so even if streaming pirated video from Kodi falls into a legal gray area in the US, your ISP might frown upon it and subsequently throttle bandwidth or suspend service.

Canada

According to law professor Michael Geist, “The law exempts temporary reproductions of copyrighted works if completed for technical reasons. Since most streaming video does not actually involve downloading a copy of the work (it merely creates a temporary copy that cannot be permanently copied), users can legitimately argue that merely watching a non-downloaded stream does not run afoul of the law.”

Geist notes that enforcement against Kodi users would be “exceptionally difficult,” in any case.

Australia

While there’s no precedent of anyone being successfully sued or charged with a crime for streaming pirated video in Australia, doing so remains a legal gray area. One case that concluded in late 2015 gave some indication that downloading parts of copyrighted content is illegal, although it’s unclear if that would also pertain to the temporary files used by streams.

An amendment to the Online Infringement Act passed in 2015 allowed the government and ISPs to block access to websites that contain pirated content.

India

India is a particularly interesting case because it’s one of the very few countries with a court precedent that explicitly allows people to stream pirated content online. Torrenting and downloading is still illegal (though hardly enforced), as is uploading and hosting content. But streamers, including Kodi users, seem to be in the clear.

Comparitech does not condone or encourage any violation of copyright restrictions, including illegal streaming through Kodi. Kodi can be used for many excellent, legal online streaming purposes. Please consider the law, victims, and risks of piracy before downloading or streaming copyrighted material without permission.

As of June 2017, rumors are swirling as to the fate of the TVAddons website and the Fusion repository, likely the most popular add-on repository for Kodi users. The repository, website, and Indigo installer went down for several weeks but came back online in August with a new anti-piracy focus.

Around the same time, some popular add-ons have also gone offline, including SALTS and Phoenix.

The Fusion/Indigo repository housed several add-ons that scrape links to pirated video streams. The fallout after a disturbing court fight left TVAddons without its core user base, forcing the site to rebuild from almost nothing but data backups.

To that end, we’re going to recommend a few 100 percent legal add-ons from the official repository, which comes pre-installed on Kodi.

  • Youtube – watch YouTube videos from Kodi and sync your Youtube account
  • Crackler – free movies and TV shows from Crackle
  • Crunchyroll – anime and cartoons
  • FunimationNOW – anime and cartoons
  • DailyMotion – user-uploaded content including some TV shows and movies
  • iPlayer WWW – BBC iPlayer for Kodi, including all your favorite BBC originals
  • Twitch – the biggest name in live gaming
  • Vimeo – kind of like Youtube, includes a handful of movies and TV shows
  • HDHomeRun – streams your cable or over-the-air signal onto Kodi
  • LazyTV – no videos here, but useful for tracking what you’ve watched
  • Trakt – track, manage, and share what you watch on Kodi

Is Kodi safe and secure?

Kodi is a project maintained by volunteers. They do an excellent job, but it would be asking too much for them to account for every scenario in which a hacker might try to take advantage of their work. Right now, Kodi users should protect themselves against the following threats:

  • Man-in-the-middle attacks
  • Malicious add-ons
  • “Piracy boxes” with Kodi pre-installed
  • ISP snooping

Man-in-the-middle attacks and ISP snooping can occur while data is in transit, such as while streaming a video on Kodi. The best defense against these security issues is to use a VPN. Short for Virtual Private Network, a VPN will encrypt all of a device’s internet traffic and route it through a remote intermediary server, hiding both the contents of your activity and its destination. A reputable VPN makes it next to impossible to monitor or trace Kodi users. IPVanish is probably the most popular VPN with Kodi users and works with all add-ons.

In addition to a VPN, use an antivirus program if your operating system supports it to prevent malicious add-ons from stealing your private information and installing malware. We recommend Bitdefender, which doesn’t impact performance much and scores highly in independent testing. If you want to try something cheaper that is still fast and effective Total AV is running a promotion which reduces a year’s access to $19.95 and includes a 30-day money-back guarantee.

Man-in-the-middle attacks

Researchers at antivirus company Bitdefender published a detailed article in 2015 of a vulnerability in Kodi’s update function. As far as we are aware, the vulnerability has not yet been patched.

When Kodi is launched, it checks for new updates for all installed add-ons and downloads them if necessary. The entire process happens over un-encrypted HTTP. That means an attacker could intercept traffic, then send a modified malicious add-on to the user. Bitdefender says the add-ons are not verified.

This is called a “man-in-the-middle” attack, and it’s fairly simple to pull off but not very common. Once the malicious add-on is in place, it can execute Python code. Bitdefender’s researchers were able to recreate attacks on OpenELEC and Windows. They captured the user’s Youtube credentials on the former and executed code with escalated privileges on the latter.

MITM attacks can be mitigated with a VPN, but not entirely prevented. A VPN encrypts the traffic between your device and the VPN server, which will prevent most of this sort of hack. There’s still a small chance, however, that the attacker could intercept traffic between VPN server and the add-on repository, which is not encrypted.

Malicious add-ons

Perhaps the biggest threat to Kodi users are malicious add-ons. The basic Kodi software doesn’t contain any content on its own, and its official repository is pretty limited. The vast majority of users stream video via unofficial third-party add-ons. Because these are not sanctioned by Kodi–likely due to legal reasons–the add-ons do not undergo any formal inspection.

A malicious add-on can execute code on your computer to escalate privileges, steal data like login credentials, and install malware, viruses, and/or botnets onto your device.

Many experts recommend “sandboxing” Kodi for this reason. Sandboxing means Kodi runs in an environment that’s cut off from the rest of your system. If you use Kodi on your everyday laptop, smartphone, or tablet, be sure to keep antivirus and a VPN enabled every time you launch it.

Stick to popular, well-reviewed add-ons and repositories. Doing so doesn’t guarantee all your add-ons are safe, but it’s more likely that savvy users will spot a vulnerability and inform the public as opposed to an add-on with only a few dozen installs.

Furthermore, clean out unused add-ons and repositories regularly. Kodi add-ons update automatically, so even if an add-on isn’t malicious today doesn’t mean it won’t be tomorrow.

Devices with Kodi pre-installed

Installing Kodi is a fairly simple process on any supported device, but some prospective users might want to forgo the hassle and just buy something with Kodi pre-installed. Those who do need be extremely wary, as devices that come with Kodi built-in might contain backdoors and other exploits for hackers to take advantage of.

These “piracy boxes” sold by shady Youtubers and Ebay salespeople have become such a problem that they are “killing Kodi,” according to the official Team Kodi developers. Not only can these products harm users and their devices, they often don’t work very well and come loaded with broken add-ons.

If you want a device that comes pre-loaded with Kodi, we recommend one of the many products from the team at WeTek, which also makes the OpenELEC Linux distro.

ISP snooping

It’s no secret that many of the most popular Kodi add-ons stream from legally questionable sources. These include unsanctioned streaming sites, torrents, and live IPTV streams from who-knows-where.

As such, copyright trolls and other entities working on behalf of rights holders could be monitoring links and torrents for the IP addresses of Kodi users. Once they’ve gathered up a few hundred IP addresses, they can contact the internet service providers hosting those IP addresses.

In response, ISPs can do a number of things. They can email Kodi users a settlement letter asking for compensation on behalf of the copyright troll/holder, ask the user to cut it out, throttle the user’s bandwidth, or do nothing at all.

Remember that in the United States, an IP address does not constitute an identity. If you receive a settlement letter, the best thing to do is to ignore it. If you respond, you’ll have confirmed your identity, and then you’re in trouble. Settlement letters are not legal documents, so there’s no need to respond.

To avoid this situation altogether, the best thing to do is use a VPN. If your traffic is encrypted and routed through a VPN server, then copyright trolls cannot identify your real IP address, and your ISP cannot monitor your traffic.

See also: Best VPNs to stop ISP snooping