Review of Mullvad VPN

X41 performed a white box penetration test with source code access against the Mullvad VPN Application. The efforts included formulating a light threat model.

The targets of this test were challenging for the team because of its size, the fact that they run on five different platforms (Linux, Windows, macOS, Android, and iOS), and the regular audits performed by Mullvad VPN. The fact that new vulnerabilities were found in existing code shows that the efforts taken regularly by Mullvad are justified and appropriate for product of such complexity.

It also shows that in mature targets the findings tend to move into domains not under direct control or in direct focus of the application development as can be seen in the findings rooting from specifics of the operating system’s behavior or the interplay of different network layers and protocols.

This is what keeps security audits and tests of mature and hard targets interesting for the team at X41 as well.

Results

A total of six vulnerabilities were discovered during the test by X41.

Overall, the Mullvad VPN Applications appear to have a high security level and are well positioned to protect from the threat model proposed in our report. The use of safe coding and design patterns in combination with regular audits and penetration tests led to a very hardened environment.

The most serious vulnerabilities are considered to be race conditions and temporal safety violations leading to memory corruption issues in the signal handler code. While exploitation of the signal handler code once triggered seems not unlikely, the fact that an attacker first needs to trigger a signal via another fault reduces the severity of the issues. Other vulnerabilities allow leaking information about the identity of a user by network adjacent attackers and to perform side channel attacks that could in specific circumstances reveal which site a client is currently accessing.

The aspect of side channel attacks is mitigated in most parts, except for protocol level attacks that are not within the control of Mullvad VPN AB because they root from a combination of different technologies such as NAT and modern variants of the HTTP protocol. The introduction of obfuscation technologies and proxy services within the protected VPN is an option for users with higher security and privacy demands.

In conclusion, the client applications exposed a limited number of relevant vulnerabilities. Mullvad VPN AB addressed them swiftly and the fixes were audited to be working properly.

X41 would like to thank Mullvad VPN AB for the nice collaboration and smooth communication throughout the audit!

Findings

Mullvad’s announcement about the audit covers each of the findings and their mitigations. The technical details can be found in our report, which we are releasing today.

Full report:
https://x41-dsec.de/static/reports/X41-Mullvad-Audit-Public-Report-2024-12-10.pdf

Mullvad announcement:
https://mullvad.net/en/blog/the-report-for-the-2024-security-audit-of-the-app-is-now-available

Mullvad’s previous audits:
https://github.com/mullvad/mullvadvpn-app/tree/main/audits

If you are interested in working with us on such projects in the future, remote or in-office, have a look at our jobs page!