www.it-connect.fr
Mullvad VPN Exit IPs Aren’t as Random as They Seem: Here’s Why
A researcher has uncovered a privacy issue in Mullvad VPN, a Swedish provider with a strong reputation and especially known for its strict no-logs policy. The behavior highlighted by the researcher could make it possible to probabilistically fingerprint users as they move from one server to another. Here’s what you need to know.
Predictable WireGuard Exit IP Assignment
The researcher tmctmt took a close look at Mullvad’s network architecture. His research paid off, as you will see in this article. In fact, he claims that the exit IP addresses assigned by Mullvad VPN when connecting are not as random as one might imagine.
The assignment of these IP addresses is deterministically based on the user’s WireGuard key, which is automatically rotated every 1 to 30 days. This is true if you use Mullvad VPN’s official clients to connect; otherwise, you must rotate it yourself.
To verify his theory and observe Mullvad’s infrastructure behavior, tmctmt developed a script. The goal: generate 3,650 different WireGuard public keys and collect the exit IP addresses assigned across 9 servers located around the world (including Germany, the United States, Australia, Finland, and South Africa).
After this expiration, he found that out of an estimated total of more than 8.2 trillion possible IP combinations, the test revealed only 284 distinct IP combinations. In practice, a user receiving an exit IP in the 81st percentile of a server’s pool will systematically be assigned an IP near that same percentile on other servers. This mechanism creates a sort of IP constellation for each user.
His report also includes the following table:
| Serveur | IP | Position | Taille du pool | Ratio |
|---|---|---|---|---|
| au-syd-wg-101 | 103.136.147.53 | 49 | 60 | 0.816 |
| cl-scl-wg-001 | 149.88.104.12 | 9 | 11 | 0.818 |
| de-ber-wg-007 | 193.32.248.251 | 7 | 8 | 0.875 |
| dk-cph-wg-002 | 45.129.56.220 | 25 | 31 | 0.806 |
| fi-hel-wg-201 | 185.65.133.63 | 54 | 66 | 0.818 |
| us-lax-wg-001 | 23.234.72.109 | 74 | 91 | 0.813 |
| us-nyc-wg-602 | 146.70.168.179 | 48 | 59 | 0.813 |
| us-sjc-wg-302 | 142.147.89.222 | 11 | 13 | 0.846 |
| za-jnb-wg-002 | 154.47.30.153 | 9 | 11 | 0.818 |
This analysis means that:
- Changing countries in Mullvad VPN in the hope of hiding your tracks is pointless,
- By correlating information, it is possible to trace a person’s activity (from the visited service’s perspective) because of this deterministic approach used to assign IP addresses. This is not exact identification, but it can lead to it.
Alongside his report, the researcher released a tool called Mullvad seed estimator that can be used to evaluate sets of IP addresses and determine whether they belong to the same user. "This ratio can also be used to predict the exit IP routes that will be assigned to the user on one of Mullvad’s more than 500 servers.", he notes.
Mullvad’s Response
Via Hacker News, Fredrik Strömberg, co-founder of Mullvad, weighed in. In response to tmctmt’s publication, he says that "Some aspects of the behavior described are as we intended, and others are not.".
But more importantly, he says that a fix is already being tested on Mullvad VPN’s infrastructure to mitigate this behavior. "We will also reassess whether the intended behaviors are acceptable or not. This is partly a trade-off between various aspects of privacy and various aspects of the user experience.", he also explains.
This article is a reminder that Mullvad VPN truly applies a no-logs policy. It is one of this VPN’s strengths, and it has already proven it in a criminal investigation.
Finally, let’s end with the two recommendations proposed by the researcher to stay protected:
- Avoid changing servers too frequently while keeping the same WireGuard key.
- Force key rotation by logging out and then logging back into the Mullvad app.
