TunnelBear conducts first ever VPN security audit

TunnelBear

One quality that all VPN providers, without exception, need if they are going to thrive in a hugely competitive marketplace, is customer trust. Which is why one VPN has gone the extra mile to reassure customers that their service really is as secure as they claim.

The VPN in question is TunnelBear, a relative new-comer, but one which has made waves already thanks to its witty graphics and tongue-in-cheek approach. In our review, which was published last month, we lauded them for this, but nonetheless found room for improvement in their overall service.

Consumer trust and reassurance

It seems they are determined to reassure customers about the level of security they can offer, something we were actually fairly complimentary about in our review. But that wasn’t enough for the TunnelBear team, so they have decided to put their infrastructure through a third-party public security audit.

What this means is that they hired any-based penetration testing company Cure53 to test their systems. In late 2016, Cure53 were given full access to all of TunnelBear’s systems and coding for 30 days. In early 2017, they then conducted another audit which lasted 8 days.

TunnelBear claims that this is the first time a VPN provider has undertaken such a security audit and they have certainly been upfront and transparent about the results.

Vulnerabilities found and fixed

In the initial audit, TunnelBear has revealed that two critical vulnerabilities were found in their Chrome extension, one of which would have enabled a hacker to turn the extension off. They also found a vulnerability in the Mac app which would have allowed a hacker to take over the users device as well as three high vulnerabilities in the TunnelBear API and the Android app.

TunnelBear said in a blog post that they not proud of these findings and that “it would have been nice to be stronger out of the gate”. They also stressed that “all findings discovered in the 2016 audit were promptly addressed by TunnelBear’s engineering team and verified to be fixed by Cure53.”

The shorter second audit also found 13 additional problems, but only one of these was classed as being a major issue and again all have now been fixed.

Why conduct a security audit?

Whilst such findings are of course a concern in a piece of software which is supposed to deliver customer security, it is to TunnelBear’s credit that they have gone public with them.

Some may question why TunnelBear would run the risk of exposing themselves to scrutiny and criticism by admitting the presence of such vulnerabilities. And of course, it is possible that some people looking for a VPN provider may see the words TunnelBear and vulnerability together and quickly decide to take their business elsewhere.

This would be a mistake though because what TunnelBear have done is take the responsible approach and been upfront about their security issues. It is an example which all other VPN providers, and indeed all other online businesses, could learn from.

Whilst the presence of vulnerabilities is not welcome, it is far better that they come to light and are resolved as a result of a security audit than a security breach. The process makes TunnelBear more secure and far from driving customers away, it should attract more customers to them. Who can say how many vulnerabilities in other VPNs which have not yet come to light?

So, hat’s off to TunnelBear for setting the precedent. It doesn’t make them the perfect VPN by any means. As we noted in our review, their limited retention of user data and occasional speed issues are issues which they still need to resolve if they are to compete with the likes of IPVanish and ExpressVPN. But maybe they have set in motion a trend which can make the whole VPN sector more secure and more transparent.