A security assessment of the Mullvad VPN apps has concluded that the app is well-architected from a security perspective. Some issues were found, and they have been fixed to the extent possible.
At Mullvad we perform external security audits of our VPN apps every two years. We did this both in 2018 and 2020. Two more years have passed and Atredis Partners have just performed a penetration test and source code audit of our app. The security assessment included all five supported platforms: Windows, Linux, macOS, Android and iOS.
Quoting the key conclusions of the report:
Overall, Atredis Partners found the Mullvad VPN clients to be well-architected from a security perspective, with limited attack surface that could be reached by an external malicious party, and important protection mechanisms were in place to prevent most unintended traffic leaks. Atredis Partners detected a few edge cases where traffic could be accidentally leaked outside the VPN tunnel. These leaks were either patched quickly by the Mullvad team or were due to the operating system itself, in which case the Mullvad team updated documentation and submitted issues to the operating system vendor where appropriate.
As in any security assessment, some areas for improvement were noted, but overall Atredis Partners would rate the Mullvad VPN clients as sound from a security perspective.
Read the report
The full final report is available on Atredis' website as well as in our app's source code repository.
An independent audit helps us to discover potential security vulnerabilities and fix them, all resulting in an even better service for our users. It also gives you the opportunity to judge whether or not we are technically competent enough to provide a service in which security is paramount.
Upgrade the app
The audit identified only two findings that were issues in the actual Mullvad app. The rest were limitations and flaws of the underlying operating system, and we could do nothing but document these flaws and put pressure on the operating system vendors to fix them.
The two issues that were fixed were part of the 2022.5 release of our desktop app. Please upgrade if you use something older, it does fix potential leaks during computer startup and shutdown. Android and iOS users do not need to upgrade due to this audit, but we always encourage users to use the latest version.
Overview of findings
This chapter will present Mullvad's response to all the security findings from the report. To read what the findings are about, see the report.
Out of the five findings, two are medium level, two are low level and one is info level. This means that the auditors did not find anything of high or critical severity.
MUL22-01 (Low): Out-of-Bounds Read in win-split-tunnel (Windows)
The access permissions on the device exposed by the
mullvad-split-tunnel kernel driver requires the connecting process to have administrator privileges. It also only allows a single user space process to be connected to it at any point in time. So an attacker would need to both have administrator privileges and stop the
mullvad-daemon service before they could connect to the driver and trigger the bug. Mullvad deems this both unlikely to happen and not in scope of what the app should try to protect against. If an attacker has administrator privileges already, they can do worse stuff than exploiting this bug.
This bug will likely not enable privilege escalation. The attacker already needs to be administrator, and we have no indication that an administrator could use this to gain further privileges.
Regardless of the low severity, the bug has been fixed in the kernel driver. This PR, fixes the bug, and the patched driver was included in app version
MUL22-02 (Medium): Leak of Traffic During System Shutdown
A while before the audit started, Mullvad engineers discovered that there was a time window during boot on both Linux and macOS where traffic could leak, even if "Launch app on start-up" and "Auto-connect" was enabled. This was due to the fact that our system service (
mullvad-daemon) was not set up so it must be started before the OS initializes the network. If the OS decided to start
mullvad-daemon late in the boot process, other programs could communicate with the network without a VPN for a few seconds. This was reported as known issues to Atredis just before the start of the audit, and a fix was developed simultaneously. The bootup leak was fixed on Linux at the same time as the audit started.
Just a week after the bootup leak was fixed, Atredis reported
MUL22-02, where they found a similar potential leak window during shutdown on Unix based platforms. Upon investigation, Mullvad concluded that the issue was present on Windows as well. The bug was mitigated on all three desktop operating systems in two different PRs. #3940 for Linux and macOS and #3942 for Windows. All fixes were included in app version
2022.5-beta1, including the one for startup leaks on Linux.
The only issue in this area that we have not been able to fully mitigate is the potential leak during startup on macOS. That is because macOS does not allow a system service to specify dependencies or in which order they need to start. So there is no way known to us to force macOS to start
mullvad-daemon before the network is configured. We have updated our security documentation to reflect this known issue, and we will work towards making it more transparent towards our users.
MUL22-03 (Medium): Connectivity Checks Bypass VPN (Android)
In general there is not much Mullvad can do to prevent this traffic leak from happening. We can only raise awareness of it and try to put pressure on Google to allow the user to disable the connectivity check. We have done the following in response to this finding:
- Blog about the leak more in depth
- Created a guide allowing more technical users to disable the connectivity check
- Reported that the Android documentation around Block connections without VPN is misleading
- Requested a user facing setting for disabling the connectivity check
- Updated our security documentation to mention this limitation
MUL22-04 (Low): Permissive Inbound Network Filtering (Android)
As far as we can tell, there is nothing Mullvad or any other VPN app can do about this. Android will not block incoming connections. However, this is still regarded as a low severity issue. The device must actively expose some service to the network for there to be anything to connect to.
We have updated our security documentation to mention this limitation.
MUL22-05 (Info): Siri Shortcuts Susceptible to Manipulation (iOS)
The Siri shortcut integration is opt-in and not enabled by default. On top of that, Mullvad thinks that the attack is more of an attack on Siri's authentication than on our app. Siri is supposed to only listen to the owner's voice.
If this finding is a concern for any user, we recommend that user to disable the Siri integration in the Mullvad app
We wish to thank Atredis Partners for the smooth collaboration, good communication and great security assessment work!