TL;DR
A security researcher discovered that Mullvad VPN’s deterministic exit IP assignment allows for potential user identification. Despite large IP pools, limited IP combinations mean users can be correlated. The implications could affect user privacy and anonymity.
A security researcher has demonstrated that Mullvad VPN’s method of assigning exit IPs, based on user keys, can be used to identify and correlate users despite the VPN’s large IP pools. This finding raises concerns about user privacy for Mullvad’s users.
The researcher conducted tests by repeatedly changing the public keys used with Mullvad’s WireGuard configuration and fetching the assigned exit IPs across multiple servers. Despite Mullvad’s design to assign a unique IP combination for each user, the data showed that only 284 IP combinations were used across thousands of tested keys, representing a significant reduction from the expected number given the large IP pools. Further analysis indicated that Mullvad appears to use a seed-based pseudo-random number generator (RNG) in its IP assignment process, likely implemented in Rust, which results in predictable IP patterns. This predictability means that users sharing certain IPs can be identified with high confidence, especially when combined with the researcher’s estimation tool that calculates the probability of shared IPs among users.
Why It Matters
This discovery impacts user privacy for Mullvad VPN users, as it suggests that the VPN’s exit IP assignment method may allow for user tracking and identification. Given Mullvad’s reputation for privacy, this could undermine user trust and raises questions about the security of deterministic IP assignment methods in VPN services. The potential for correlation and deanonymization could be exploited by malicious actors or surveillance entities.
Privacy Tools in the Age of AI: Practical Strategies with VPNs, Secure DNS, Private Relay and Intelligent Defenses (Build Your Own VPN)
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background
Mullvad is known for offering multiple exit IPs per server, with a design that assigns IPs based on user keys that rotate periodically. Prior to this, it was assumed that the large IP pools and randomized assignment would prevent user identification. This research challenges that assumption, revealing that the IP assignment process is more predictable than previously thought, due to the use of seed-based RNGs. The finding aligns with known behaviors of RNGs in programming languages like Rust, which is used in Mullvad’s backend. The research was conducted over a night-long testing period, analyzing thousands of key-IP mappings, and indicates a potential privacy vulnerability in Mullvad’s current setup.
“Despite large IP pools, Mullvad’s IP combinations are limited, making user identification feasible through pattern analysis.”
— researcher
“Using seed-based RNGs for IP assignment introduces predictability, which can compromise user anonymity.”
— security expert
GL.iNet MT2500A(Brume 2) Professional Mini VPN Security Gateway, Home Office Remote Work Site-to-Site, WireGuard OpenVPN Server Client 24/7 Connection, 2.5G WAN USB3.0 OpenWrt NO Wi-Fi Ethernet Only
【Compatible with 30+ VPN service providers】Pre-installed with OpenVPN and WireGuard. OpenVPN speeds up to 150 Mbps; WireGuard speeds…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What Remains Unclear
It remains unclear whether Mullvad intentionally uses seed-based RNGs in this manner or if this is an unintended side effect. The exact implementation details of their IP assignment algorithm are not publicly confirmed, and the extent to which this vulnerability could be exploited in real-world scenarios is still being evaluated.
Aquacomputer LEAKSHIELD Leak Protection System for ULTITUBE
Specially developed for use with the ULTITUBe reservoir series, LeAKSHIeLD replaces the lid of the reservoir
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What’s Next
Further investigation is expected from security researchers to verify Mullvad’s internal processes and assess the real-world risk of user deanonymization. Mullvad has not yet issued a public statement addressing these findings. Users and privacy advocates will be watching to see if Mullvad updates its IP assignment method or provides guidance on mitigating potential risks.
anonymous browsing VPN accessories
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
Can Mullvad users be definitively identified using this method?
Based on current research, users sharing certain IP combinations can potentially be correlated, but definitive identification would depend on additional factors and data. The risk is significant but not absolute.
Is this a flaw or an intended feature of Mullvad’s system?
The use of seed-based RNGs suggests it may be an implementation detail rather than an intentional privacy feature. Mullvad has not publicly confirmed their IP assignment algorithm.
What can users do to protect their privacy now?
Users should consider additional privacy measures, such as rotating keys more frequently or using different VPN configurations, until Mullvad clarifies or addresses the issue.
Will Mullvad fix this vulnerability?
It is not yet clear whether Mullvad will modify its IP assignment method. The company has not issued an official response as of now.
