DuckDuckGo recently partnered with third-party firm Securitum to conduct a comprehensive security audit of our VPN and supporting infrastructure. This is the first external security audit of our VPN since its launch as part of Privacy Pro, our 3-in-1 subscription service, in April 2024.
The audit was carried out by a team of Securitum auditors from October 1st to October 22nd, 2024. The focus areas included:
- VPN infrastructure (servers)
- VPN backend/API
- VPN feature for our Android, iOS, macOS, and Windows apps
We are pleased to report that the audit found no critical vulnerabilities, underscoring the strong security measures we have in place for our VPN. (You can read the full report here or see below for a breakdown of the key findings, remediations, and accepted risks.) As part of our commitment to transparency regarding security practices, we plan to conduct external security audits of our VPN regularly.
Read the full report
DuckDuckGo External Security Audit Report 2024Overview of Results
Securitum reported a total of fifteen issues after their initial test. None were rated as having a critical severity. Two were rated as high-risk, four as medium-risk, and nine as low-risk. Six out of the reported fifteen issues have been fixed, including all high and medium-risk issues.
The remaining low-risk issues, which we have chosen to accept, have a low impact on security or are considered very difficult to exploit. See below for more details on accepted risks.
Key Findings
Resolved: TunnelVision and TunnelCrack
These vulnerabilities represent a significant portion of the findings, comprising four issues that range from low to high risk. We grouped them together because they all fall under the category of LocalNet attacks, which can occur when a device is connected to an untrusted local network, such as public Wi-Fi.
- Fixed: On macOS, a malicious router or access point could exploit a specific setting to issue routes outside of the VPN, potentially allowing traffic to leak outside the VPN tunnel (referred to as TunnelVision).
- Fixed: Similarly, a malicious access point could mislead macOS VPN users into forwarding their traffic outside of the tunnel (known as TunnelCrack).
- Traffic Leakage Fixed: On Windows, the impact differs; instead of leaking traffic, it results in traffic being dropped, which is classified as a Denial of Service.
- Unaffected: On Android, these attacks were not possible.
Important notes:
- These vulnerabilities are known to affect all VPNs, not just the DuckDuckGo VPN.
- Users must first connect to an untrusted access point; individuals on a secure home network are not vulnerable to these issues.
- These vulnerabilities are only possible if "Exclude Local Networks" is disabled in settings.
In the event of traffic leakage:
- The leaked traffic can only be intercepted if it is not encrypted. Most reputable websites today use HTTPS or TLS to encrypt data, ensuring that your information remains secure even if exposed.
- Users are still more secure with the VPN enabled than without it. A rogue access point would have the ability to intercept all traffic if the VPN were not in use. With the VPN active, the access point would need to take additional steps to intercept any traffic.
All vulnerabilities that resulted in traffic leakage have been fully addressed in the latest versions of the DuckDuckGo Browser on macOS (from version 1.115.0) and iOS (from version 7.146.0). On Windows, where we could not implement sufficient mitigation due to platform constraints, the packets will simply be dropped and no traffic will be leaked.
Resolved: Inter-process communication – write permissions for everyone
This high-impact vulnerability specifically affected the Windows platform. On Windows, the DuckDuckGo VPN operates through two services: the browser and the VPN service. These processes need to communicate to execute commands, such as turning the VPN on or off. The communication protocol was initially implemented in a way that could allow unauthorized users or apps to issue commands to the VPN service, potentially turning off the VPN without the primary user being aware.
This vulnerability has been fully addressed from version 0.98.0 of the DuckDuckGo browser for Windows. Despite the exploit requiring your device to be compromised or an attacker to have physical access to your device, we are now confident that even if another user is on your machine, they will not be able to interfere with your VPN connection. Additionally, if your VPN turns off unexpectedly, you will receive a visual alert.
Resolved: Exclude Local Networks functionality not working properly
The DuckDuckGo VPN offers users the option to exclude local networks via Settings. This feature is designed to ensure that a VPN-connected device remains isolated from the local network. However, it was identified that when this toggle was activated, the VPN-connected device could still connect to other devices on the local network. This issue has been fully addressed in the latest versions of the macOS (from version 1.115.0) and iOS (from version 7.146.0) browsers.
Resolved: Email address enumeration
This vulnerability affected the DuckDuckGo subscriptions backend, allowing an attacker to determine which email addresses were associated with valid subscriptions by measuring the time difference between sending a request and receiving a response. We have fully mitigated this vulnerability by implementing measures to ensure consistent request timing for all email addresses submitted to the service. This means that regardless of whether an email address is valid or not, the response time will remain the same, making it difficult for attackers to gain any useful information.
Accepted Risks
Insecure Keychain access via WhenUnlocked permissions
The audit revealed that the browser uses a setting that makes sensitive information in the Keychain accessible only when the device is unlocked. This may pose a risk if a device is stolen while it is unlocked, or if a user's Apple account is compromised and Sync is enabled for iCloud Passwords & Keychain. DuckDuckGo deemed that this does not pose as an immediate risk within the boundaries of our app. (This attribute is also defined by OWASP to be the recommended value for securely storing Keychain items.)
Exposing information about the user’s Internet service provider (ISP)
This vulnerability allows an attacker who has gained access to your device to discover details about your Internet service provider. We have chosen not to address this because, for a user to be vulnerable, an attacker would first need to compromise the user's device with malware. At that point, the impact is considered very low.
Missing version information in code signing requirements
This vulnerability arises from the macOS TCC framework, which fails to enforce strict version control in code signing. An attacker with access to a user's device could exploit this by downgrading the app to an older version with known vulnerabilities, which could be used for secondary attacks. While this poses a risk, it requires the attacker to first compromise the user's device, perform a downgrade attack, and have knowledge of a previous exploit to abuse after the downgrade.
Final Words
We extend our gratitude to Securitum for their meticulous and dedicated efforts in conducting this security audit. Their expertise has been invaluable in making this project a reality, empowering us to continue keeping our users safe.
Learn More
- What is DuckDuckGo VPN?
- Does DuckDuckGo VPN store any log of my VPN activity?
- What protocols does DuckDuckGo VPN support?
- DuckDuckGo VPN Servers and Locations
- DuckDuckGo VPN Scam Blocker DNS Blocklist
- DuckDuckGo VPN Troubleshooting
- DuckDuckGo VPN and App Tracking Protection
- DuckDuckGo VPN Port Forwarding and Blocking
- Privacy Pro - Personal Information Removal
- Privacy Pro - Identity Theft Restoration