Mullvad VPN audit: low number of vulnerabilities found and fixed, lots of praise

Martin Brinkmann
Dec 12, 2024
Privacy news
|
11

Mullvad VPN is a popular privacy-focused VPN service. The service is using a disk-less infrastructure and has recently started to run encrypted DNS servers in RAM as well. You may also buy Mullvad codes on Amazon or through other ways that keep you anonymous.

In late 2024, Mullvad asked Germany-based X41 D-Sec to conduct an audit of the service, making it the fourth external security audit since 2018.

Company engineers were tasked with auditing the source code of Mullvad's VPN apps on all platforms and performing penetration testing. This happend between October and November 2024.

Vulnerabilities were found

X41 D-Sec discovered a total of six vulnerabilities.

  • Three high-security vulnerabilities.
  • Two medium-rated vulnerabilities.
  • One low vulnerability.

Additionally, the researches found three issues with security impact.

Mullvad addressed the issues that were within scope. Some of the discovered issues are not fixable by Mullvad, as they are found in certain behaviors of operating systems or protocols.

The three security issues rated high are all fixed. They were:

  • A potential heap corruption issue on Android, Linux, and macOS.
  • An issue with the fault signal handler in mullvad-daemon affecting Android, Linux, and macOS.
  • Use of taskkill.exe on Windows in the installer without use of absolute paths.

Not all issues can be fixed by Mullvad

One issue, rated medium, for instance, which may leak the virtual IP address of tunnel devices to network adjacent participants, affects Linux and Android only. On Linux, Mullvad solved the issue by changing a kernel parameter.

On Android, Mullvad's app has no control over that parameter. The company did report the issue to Google, hoping that Google will change the default behavior on Android to address this.

It should be noted that the issue affects other apps on Android as well. Mullvad says that it does not consider the leak high severity. It may however leak the tunnel IP to observers. IPs get changed monthly, but signing out of the app and back in again gives the client a new tunnel IP address as well.

Closing Words

Security audits find potential vulnerabilities, which companies may then fix proactively. They may also help instill confidence in existing or future users of the service, especially if conducted regularly.

Now it is your turn. Do you us a VPN solution? If so which and why? Feel free to leave a comment down below.

 

Summary
Mullvad VPN audit: low number of vulnerabilities found and fixed, lots of praise
Article Name
Mullvad VPN audit: low number of vulnerabilities found and fixed, lots of praise
Description
A 2024 audit of Mullvad VPN discovered a low number of potential security issues. Here is how Mullvad reacted.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «

Comments

  1. efromme said on December 15, 2024 at 2:41 pm
    Reply
  2. Robert said on December 14, 2024 at 1:30 am
    Reply

    I have been using Mullvad VPN for a couple of years now. I have Wireguard setup on a GL-iNet home router and also run the app on Windows and Linux at the same time for multi-hopping experience with the router. Works great. I just updated the apps for added security thanks to this article.

    I wish that Mullvad would let me pay for a year using Bitcoin. The yearly option only seems to be there if paying by Visa.

  3. TelV said on December 13, 2024 at 2:37 pm
    Reply

    I use Mullvad, but not through their own app. Instead I’ve installed the standalone Wireguard app which you can download from here: https://www.wireguard.com/

    How to configure Mullvad to use Wireguard is explained here: https://mullvad.net/en/help/wireguard-app-windows

    For additional security, I also use Mullvad’s SOCKS 5 proxy for which the connection settings are 10.64.0.1 through Port 1080. It looks like this on Firefox: https://i.postimg.cc/vH8jgxQX/SOCKS-5-proxy-on-FF.png (scroll further down to the bottom and checkmark “Proxy DNS when using SOCKS 5” and then click OK).

    Besides the additional safeguard to maintain your anomaly in the event the VPN fails the setting also allows users to run Mullvad VPN on systems which they don’t normally support which in my particular case is Windows 8.1

  4. zablet said on December 13, 2024 at 1:22 am
    Reply

    I also switched to Mullvad after doing some homework and using a couple of other (not as good) VPNs.

    There are maybe 2 or 3 VPNs that I would trust these days, and trust what you’re paying your VPN for. Any VPN that is not audited and is not run by people who are identifiable as real accountable humans with first-and-last names and who have a hstory in the privacy community could just as easily be owned by the NSA as anyone else, and at least one is. My short list came down to Mullvad and Proton; I chose and am very happy with the former, but know people who are happy with the latter.

    My priority is privacy. If you want a VPN primarily for access to geo-blocked streaming services, Mullvad would not be my first choice. Fine for torrents, however.

  5. santa claws said on December 13, 2024 at 1:07 am
    Reply

    I had been using ProtonVPN for some time now.
    Several months ago I read an arcticle on Mullvad blog about SAITA
    Defense Against AI-guided Traffic Analysis https://mullvad.net/en/vpn/daita
    This is what I want!! A VPN that takes the lead, and leaves the rest behind!

  6. Dave said on December 12, 2024 at 5:49 pm
    Reply

    I was a long time user of PIA (Private Internet Access). I started doing some research on VPN’s and came to realize that PIA was not a very good choice. When that subscription ran out, I became a Mullvad user. I have been with them for going on two years nad I am quite pleased with their service.
    Why do I use a VPN, with the internet becoming the cesspool that it is with ads, tracking, etc, I feel more comfortable using a VPN. I limit myself to what sites, services, etc that I use so hopefully my footprint is not that big or unique.

    1. efromme said on December 12, 2024 at 9:04 pm
      Reply

      You are not clear why you rejected PIA or why you chose Mullvad. Enlighten us.

      1. Dave said on December 13, 2024 at 4:57 pm
        Reply

        As for PIA, read Martin’s article from 2021 concerning Kape’s acquisition of Express VPN
        (link – https://www.ghacks.net/2021/09/15/is-kapes-acquisition-of-expressvpn-cause-for-concern/).
        For Mullvad, it comes down to privacy. I recall an article about the police showing with a warrant asking for their logs, Mullvad says sorry we don’t keep logs and the police left empty handed.

      2. idontmatter said on December 18, 2024 at 4:04 pm
        Reply

        That is assumptions. PIA has the same story..

  7. Tachy said on December 12, 2024 at 3:18 pm
    Reply

    Express VPN, It’s fast, it’s diskless. Because google makes billions off our personal data and I don’t get my cut.

  8. efromme said on December 12, 2024 at 2:56 pm
    Reply

    Interesting post. Would like to read more such posts about VPNs..

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.