VPNs have a trust issue: Here's what TunnelBear did about it

A third-party security audit shows the VPN service's seriousness about protecting its customers.

The popular virtual private network (VPN) provider TunnelBear wants to earn your trust. The company just announced what it says is the first third-party public security audit in the consumer VPN industry. In short, a security company looked at TunnelBear’s servers, apps, and infrastructure to see if everything was up to snuff.

The VPN provider hired Germany-based penetration testing company Cure53. The security company was given full access to TunnelBear’s systems and code for 30 days in late 2016 and another eight in early 2017. The end result was two audits, which TunnelBear and Cure53 published Tuesday.

During the first audit, Cure53 found two critical vulnerabilities in TunnelBear’s Chrome extension, one of which allowed a malicious actor to turn off the extension. The auditors also found a critical vulnerability in TunnelBear for Mac that could allow a hacker to take over a user’s machine. All three vulnerabilities have since been patched.

Cure53 also found three high vulnerabilities—since patched—in the TunnelBear API as well as the Android app.

TunnelBear says it wasn’t proud of those results, but at least the vulnerabilities were discovered. During the shorter redo this summer, Cure53 said it found 13 other problems, but only one was of “high” severity. The others were medium to low threats that did not require urgent fixes.

For more information about VPNs, see PCWorld’s article on best VPNs of 2017.

Why this matters: One of the critical issues surrounding a VPN, or any software really, is trust. Can you trust the company you’re using to protect your privacy and provide you with a secure product? With some VPNs this isn’t such an easy question to answer, especially if you can’t even verify who’s running the company. TunnelBear took a big step by publicly releasing its security audits—most notably the 2016 one with all its problems.

The future: More audits

The one thing this audit didn’t address were the contents of TunnelBear’s privacy policy, such as its no-logging claim for users’ browsing habits. On that issue, it’s still up to you to decide whether you trust the company.

TunnelBear says its experience with Cure53 has inspired it to carry out an annual security audit from now on.

If you want to check out the audit results for yourself, you can read a summary on Cure53’s website (PDF).

Show Comments