Become a TechRadar Insider
- A researcher found Mullvad's WireGuard exit IP may enable fingerprinting
- Mullvad's co-founder confirmed an upcoming patch to address any issues
- Mullvad will also re-evaluate if the intended behaviors are acceptable or not
Mullvad VPN, a provider highly regarded for its rigid privacy stance and no-logs policy, is currently addressing claims that its IP assignment structure can be used to track individual users.
The issue was brought to light by an independent security researcher known as "tmctmt," who found that Mullvad’s method of assigning public exit IP addresses for its WireGuard connections isn't entirely random. Instead of assigning a fresh IP every time you connect, the exit IP is deterministically tied to your unique WireGuard key.
Because this internal mathematical "seed" remains static until your key rotates, moving between different Mullvad servers may produce a recognizable constellation of IP addresses. By analyzing these IP logs, administrators on forums or websites could potentially link a user's disparate connections back to the same device with over 99% confidence.
Mullvad co-founder and co-CEO Fredrik Strömberg quickly acknowledged the report on Hacker News, arguing that: "Some aspects of the described behavior are as we intended and some are not."
Strömberg confirms that a fix is actively being deployed for any of the unintended behaviors, adding that "we will also re-evaluate whether the intended behaviors are acceptable or not."
TechRadar has also reached out to Mullvad directly for further comment.
Feature or bug?
Unlike competitors that cram thousands of users onto a single IP address, Mullvad assigns multiple exit IPs per server to prevent annoying CAPTCHAs and rate limits.
The researcher tested this system by cycling through 3,650 public keys across nine different servers. Despite there being over 8.2 trillion possible IP combinations, all of the generated keys resulted in just 284 distinct IP patterns.
Using a custom "seed estimator," the researcher showed that linking these exit IPs could narrow a user down to a pool of about 340 people (assuming 100,000 active users). While it doesn't instantly dox your real name, it provides more than enough data to cross-reference multiple accounts or connections.
Responding on Hacker News under the username "kfreds," Strömberg was quick to note that the backend cause wasn't exactly as theorized by the researcher, but confirmed action was being taken.
"The cause is not exactly as described in the blog post. As for mitigation, we are already testing a patch of the unintended behavior on a subset of our infrastructure. If any of you try to reproduce the blog post's findings you may get confusing results throughout the day," Strömberg noted.
The company recently pushed updates to make its iOS app more secure, but server-level IP assignment affects users across all platforms. While Mullvad addresses the unintended infrastructure quirks, Strömberg noted they will "re-evaluate whether the intended behaviors are acceptable or not," framing the issue as a "trade-off between multiple aspects of privacy, and multiple aspects of user experience".
Strömberg also left a polite note for future bug hunters: "Finally, for those of you who do security research: when you find a security or privacy issue, please consider notifying the maintainer/vendor before publishing your findings, even if you intend to publish right away".
If you are a current Mullvad user, you can easily mitigate this tracking risk today. The researcher advises avoiding rapid server switching, and occasionally logging out and back into the Mullvad app to force a manual WireGuard key rotation.
