TunnelBear Annual Independent Security Audits

TunnelBear Independent Security Audits

The VPN industry has become synonymous with bold claims about privacy and data security. With each passing month, new companies crop up, trying to lay claim to the title of “most secure VPN”.

In reality, there’s not much in the way of standardization in the industry. There’s very little that we, as consumers, can do to evaluate the claims made by the dozens of VPN providers clamoring for business.

TunnelBear’s First Annual Audit

Considering the VPN’s industry secrecy and closedness up until that point, it came as something of a shock when established VPN provider TunnelBear announced that they underwent an independent security audit of its software and systems back in August 2017.

Even more shockingly, they published the results shortly after that too.

During that audit, cybersecurity and penetration testing firm Cure53 discovered numerous vulnerabilities in TunnelBear’s systems.

Worryingly, two of the problems were labeled critical. They could allow an attacker to disable the VPN without our knowledge or – in the case of the TunnelBear Mac client – take over the whole computer.

Although TunnelBear admitted at the time that they weren’t proud of the results, they acted quickly to fix the issues. They also willingly shared the findings with the public.

But, most important of all, TunnelBear committed to making the audit a yearly occurrence.

Second Annual Public Security Audit

At the end of October 2018, true to their word, TunnelBear released the results of their second independent security audit. Once again, Cure53 handled the testing, which is significant because of their familiarity with TunnelBear’s inner workings from the previous tests.

The 2018 results were also released to the public, and you can review them here.

This time around, TunnelBear fared much better than they had during round one. That’s not to say, however, that that the audit found no issues – far from it.

Cure53’s testing team did discover two more critical flaws. Both could allow attackers on Windows or macOS to gain privileged access and launch malicious programs.

As frightening as that sounds, it was an improvement over the original flaws found in the first audit.

An attacker could have only used the two critical issues identified in 2018 with direct access to the computer running TunnelBear’s client. In other words, they were unlikely to pose a risk in a real-world scenario.

To their credit, TunnelBear once again patched the vulnerabilities right away and provided their updated code to Cure53 for verification.

Third Independent Annual Audit

We had to wait for 2020 to roll around to see the results of another TunnelBear audit. But it did come.

The audit was, yet again, done by Cure53. It was completed in November 2019, but the audit results were not released until January. Presumably, the delay gave TunnelBear the time it needed to address any issues.

And, once again, issues there were.

After spending 37 days scrutinizing every part of TunnelBear’s servers, network infrastructure, and software, Cure53 discovered twelve problems. Of those, two were critical and four high.

But, much like the previous year, only a couple of the issues were cause for concern. And those vulnerabilities were once again very unlikely to pose a real-life threat – they needed both direct access to the device and high-level permissions.

Overall, Cure53 had plenty of good things to say about TunnelBear. They went as far as making the following statement:

TunnelBear [is] a clear frontrunner among its VPN competitors when it comes to security.

TunnelBear’s Security Transparency

From a user point of view, the most important part of all three TunnelBear audit reports is the sheer amount of transparency that went into them.

In the 2018 report summary, the Cure53 team notes the extraordinary access to all systems and code that they had to work with. They said:

Cure53 factually targeted a vast and nearly all-encompassing scope of the TunnelBear web applications, clients, extensions and the connected core services.

In other words, they left no stone unturned in their hunt for vulnerabilities. TunnelBear, on the other hand, set no limits on what the testers could see or touch.

And, in my mind, that’s the real takeaway from the results of TunnelBear’s security audits.

All three paint a picture of a VPN provider that seems far more concerned with finding and fixing any potential security issues than they are with protecting their reputation.

It’s an excellent sign that TunneBear’s commitment to our security extends well beyond the marketing-speak is so common in the industry.

TunnelBear’s initiative also pushed the likes of Surfshark, ProtonVPN, and other well-known VPN providers to follow suit and undergo their own independent security audits. And, ultimately, that’s nothing but good news for us VPN users.

Leave a Reply