It was a little over twelve months ago that TunnelBear published the consumer VPN industry’s first independent, public security audit. We were ecstatic when it made waves in the news and security circles. It made enough noise that we were fully expecting other major VPN service providers to quickly follow suit and complete their own independent security audits. We dreamt of a new benchmark in the industry, where VPN providers might start competing to earn trust through greater transparency.
It turns out, we set our expectations a little high. Over the last twelve months, the industry has remained largely silent. Recently, one other VPN service completed an audit - with a smaller scope of only their VPN apps. The industry also suffered a series of events that served to further erode the reputation of VPN providers. First there was Facebook’s purchase of Onavo and the subsequent push to its users was widely regarded as "corporate spyware" masquerading as a security product. Then came Anchorfree's Hotspot Shield being accused of routing user traffic through ad networks. Finally, the largest piece of VPN news for the year were Russia and China making VPN use illegal inside their borders. Now more than ever, people need concrete reasons to trust their VPN provider, and very few providers seem to be doing much of anything to foster that trust.
For the TunnelBear team, 2018 has been a busy year. We’ve expanded into a new TunnelBear office. We released RememBear, our incredible new password manager (also audited). We also joined McAfee where we’ve seen strong support to continue operating TunnelBear with the same principles of privacy, transparency and security that made TunnelBear great in the first place. In many ways, 2018 taught us a lot about the power of public opinion, our values and where we need to focus in order to keep earning trust.
TunnelBear remains the only VPN provider in the world to complete public, end-to-end, independent security audits of our entire infrastructure.
To continue building that trust, we are excited to announce that TunnelBear has completed our annual security audit. TunnelBear is the first VPN provider to complete independent, public security audits year-on-year. While one vendor has come forward to complete a partial security audit, TunnelBear remains the only VPN provider in the world to complete public, end-to-end, independent security audits of our entire infrastructure. It really makes us scratch our head and wonder why more vendors haven’t stepped up to demonstrate they take security as seriously as TunnelBear.
If you haven’t read TunnelBear’s 2017 security audit, here’s a quick recap of our approach. Cure53, a respected cybersecurity company returned as our auditor. The scope of the audit was large, or as Cure53 described it “a vast and nearly all encompassing scope of the TunnelBear web applications, clients, extensions and the connected core services.” The audit took place over the course of 30 days. We used a “white-box” approach, where Cure53 was given full access to our systems and code.
a vast and nearly all encompassing scope of the TunnelBear web applications, clients, extensions and the connected core services. - Cure53
As the auditor, Cure53’s opinions and findings are their own, with the results being independently published on their website. All findings discovered during the audit process were promptly addressed by TunnelBear’s engineering team, and verified to be fixed by Cure53.
TunnelBear was given the opportunity to provide feedback on the final report, before it was published, where we felt findings were inaccurate or irreproducible. As is the case of most security audits, Cure53 was paid for their work. We wouldn’t expect any cybersecurity company to spend a few hundred hours auditing our code for free.
What are the 2018 results?
Cure53’s complete report is available on their website. To summarize, they discovered 2 “critical”, 5 “high”, 3 "medium", 7 "low", and a few "informational" issues - all of which were promptly fixed. The more serious vulnerabilities would have required an attacker to have direct access to the device, and be logged in as a guest. However, under those circumstances it would have allowed attackers to escalate app permissions to give them root access to a device, modify executables and bypass non-strict host matching.
All in all, the security at TunnelBear has once again improved by leaps and bounds - Cure53
Taking the size and scope of the audit into consideration, we were satisfied with the results. Of course we would have preferred a perfectly clean bill of health, however, with two audits under our belt this has served as reminder on the importance of regular, independent testing in addition to our internal checks and balances. As Cure53 put it “All in all, the security at TunnelBear has once again improved by leaps and bounds” This years audit once again helped us discover, assess and fix issues proactively rather than reactively.
Another positive outcome of collaborating with Cure53 on our 2018 audit was a clearer path to the architectural changes we can make to our VPN apps. In the year to come, we will be making further improvements to further harden our apps and reduce vulnerabilities across TunnelBear’s client apps and network.
TunnelBear’s commitment and open challenge to the VPN industry
The TunnelBear team is committed to annual security audits for all our products. We do them not just because they make our service more secure, but because VPN services need to be built on a strong foundation of transparency and independent verification - not marketing claims.
we’re calling on all VPN service providers to backup their security claims and do independent security audits of their own
Security audits are not a magic bullet. They don’t address some of the underlying privacy and data retention issues that continue to plague the VPN industry. What a security audit does is provide a basis for any VPN service to make substantive claims regarding the protection their service offers. We think audits should be the minimum bar in the industry and we’re calling on all VPN service providers to backup their security claims and do independent security audits of their own. If you’re a customer of another VPN provider, we think it’s time to ask them what they’ve done to actually demonstrate they are secure.