Research reveals deterministic IP assignment creates fingerprinting risk for Mullvad VPN users
A recent investigation published on Hacker News indicates that Mullvad VPN’s exit IP selection is not randomised, allowing for high-accuracy correlation of user identities across different servers.
Research published on Hacker News has identified a potential anonymity flaw within Mullvad VPN, a privacy-focused service known for its vertical scaling model. The investigation reveals that the provider does not randomise exit IP addresses on each connection. Instead, it deterministically assigns IPs based on the user’s WireGuard key, which typically rotates every one to 30 days for standard clients, although third-party clients may not rotate keys at all.
The study analysed 3,650 public keys across nine servers, uncovering a significant discrepancy between theoretical and actual IP diversity. While the tested servers possess a combined pool size exceeding 8.2 trillion exit IP combinations, the analysis found that all tested keys were assigned one of only 284 unique combinations. This pattern allows for the correlation of user identities across different servers with high accuracy, posing a risk of deanonymisation through potential correlation attacks.
The assignment algorithm appears to map user keys to specific percentiles within IP pools rather than selecting addresses randomly. Data from the analysis indicates that each assigned IP lands within the same percentile of its respective pool, specifically the 81st percentile in the observed dataset. This results in the assignment of neighbouring exit IPs across all servers, significantly limiting the variety of IP combinations available to users.
Further examination suggests the backend infrastructure, likely written in Rust, utilises a seed-based random number generator where the upper bound is determined by the pool size. Servers with identical pool sizes, such as those with 11 available IPs, share IP indexes, reinforcing the hypothesis of a static seed mechanism. This behaviour contrasts with the expectation that changing bounds would affect the entropy pool’s initial generation, a common misconception among developers regarding Rust’s random range functions.
A tool developed by the researchers allows for the estimation of user overlap by deducing the minimum and maximum float value for a given IP combination. For specific IP combinations, the float value range was calculated to indicate that approximately 0.34 per cent of users share these IPs. With an estimated 100,000 active users, this equates to roughly 340 users sharing the same IP combination, enabling greater than 99 per cent accuracy in identifying sockpuppets or correlating identities across different server connections.
