diff options
| -rw-r--r-- | docs/security.md | 3 | ||||
| -rw-r--r-- | mullvad-update/threat-model.md | 78 |
2 files changed, 81 insertions, 0 deletions
diff --git a/docs/security.md b/docs/security.md index e95af26a0b..0771b6b3d4 100644 --- a/docs/security.md +++ b/docs/security.md @@ -337,6 +337,9 @@ The GUI only communicates with the system service (`mullvad-daemon`), it makes n network connections. Except when the user sends a problem report, then it spawn the `mullvad-problem-report` tool, which in turn communicate over TLS with our API. +## Mullvad VPN loader + +See the threat model [document](../mullvad-update/threat-model.md) for the Mullvad VPN loader. [disconnected]: #disconnected [connecting]: #connecting diff --git a/mullvad-update/threat-model.md b/mullvad-update/threat-model.md new file mode 100644 index 0000000000..f978fa4b4d --- /dev/null +++ b/mullvad-update/threat-model.md @@ -0,0 +1,78 @@ +# Introduction + +This threat model describes the code backing Mullvad VPN loader and in-app updates on the two +platforms it supports (Windows and macOS). The loader is a graphical application used by Mullvad +users to install and upgrade the Mullvad VPN app on their devices, and in-app updates allows users +to update the app from within the app. The library crate `mullvad-update` is responsible for +verifying the integrity of the software that it downloads and installs on the user's device to +ensure that the software has not been tampered with. It allows the app to be hosted on untrusted +third-party CDNs without compromising security. + +These tools perform network requests towards Mullvad API endpoints and above mentioned third-party +CDNs, and requires both read & write access to the target device file system. + +## Acquiring Mullvad VPN loader + +The loader application is initially downloaded from Mullvad’s website or the Mullvad VPN app GitHub +repository. For the installation artifacts on our website and GitHub, we provides detached PGP +signatures for integrity verification. + +# Who do we trust + +Some Mullvad employees - Access to publish metadata information to be consumed by `mullvad-update` +is segmented and has been granted to select individuals which are trusted within the company to make +app releases. + + +# Who is the attacker + +## Nation states and law enforcement + +With the goal of de-anonymizing individuals in order to track them and disarm “dissidents”. + +## Crooks + +With the goal to … + +* Install malware on target devices + +* Make our users part of botnets + +* Steal users' information (crypto wallets etc) + +# Capabilities of the attacker + +* Serving malicious software via the third-party CDNs + +* Serving legitimate old or unexpected versions of the app on third-party CDNs, e.g. + downgrading to versions with known vulnerabilities or development builds + +* Serving files large enough to fill up the target's disk + +* Compromising the Mullvad API, and (e.g.) returning outdated or fake version metadata + +# Countermeasures + +Here are countermeasures we have identified against the above attackers which have been implemented +in the loader: + +* The version metadata / Mullvad API response is cryptographically verified to be signed + +* The version metadata has an expiry date + +* The checksum of software packages downloaded via third-party CDNs is cryptographically verified to + be the same as the checksum in the metadata + +* Only allow trusted people to publish metadata via secured Qubes machines + +* When relevant, only read/use downloaded software artifacts from a location that the loader (or + admin) controls, to prevent privilege escalation + +* The size of the downloaded software package is checked to be the correct size, and if larger the + download is aborted + +# Out of scope + +* Most attacks involving physical access to the user's computer are not covered by the threat model + +* Malicious code that runs as your user account |