The Vilfo VPN router is built by a Swedish company and is going on the market just a month before the General Data Protection Regulation (GDPR) comes into effect. Anyone buying a VPN gateway for their house would be a a bit extra cautious about their security and privacy. In this context, I took a look at how the Vilfo would fare in terms of device security and privacy. The results were not encouraging.
I’m disclosing these security vulnerabilities prior to the customary 90-day disclosure window as I’m not putting anyone at risk. The product has yet to be released with shipping to customers not expected to begin until . (I received a review unit sent to online publications in the .)
Broadcasting passwords to your neighbors
Vilfo doesn’t come with a default password for the WiFi, so the initial setup process in Vilfo’s web administration interface happens over HTTP on an unencrypted WiFi connection that is literally broadcast in the clear to your neighborhood.
You’re required to input a lot of information in the web administration interface before you get the option to enable encryption on the connection. At the very least, you must provide the following: a unique license key for Vilfo, your email address, your username and password for at least one predefined VPN service provider, your desired username and administrative (root) password for the router, and at the end you also input your desired WiFi name and password. All of this information is transmitted in clear-text and can trivially be collected by nearby devices.
Most (if not all) consumer wireless access point equipment will come from the factory with a default password, usually unique to the device which will be printed on a sticker on the device. This ensures the device can only be administrated and setup by someone with physical access to the device.
Trivial privilege escalation
The root password is stored in a file called /etc/vilfo/.env. This file has no access restrictions and can be read by any system user or anyone who gains access to the system. This file is read into the system environment and is made available as an environmental variable called LEDE_PASSWORD.
The password in the file and variable is stored as a base64-encoded string. This is not a secure and irreversible cryptographic hash function, but a trivially reversed data encoding format that yields the root password in plain-text.
This makes it trivial for anyone who gains access to the system to escalate to root privileges.
This isn’t an oversight either: it was designed to work this way. There are even unit tests included as part of the web interface to verify that the root password is decodable to plain text.
Relaxed security policies
Any system user can read and modify any saved VPN profiles including usernames and password. These entries are stored in files that can be read or modified by any system user.
Administration services like secure-shell (SSH) access and the Vilfo web administration interface are bound to every network interface including the WAN port that exposed to the internet. Access to the service is controlled exclusively through the firewall. If an attacker finds a way around the firewall, they’ll find the administrative interfaces ready and waiting for them.
With a layered approach to security, file access permissions would be as tight as they could be made — all services would be bound exclusively to the LAN network interfaces were they’re expected to be available. There doesn’t appear to have been made any attempts at hardening the security of the firmware.
Web interface shares a lot of data with third-parties
First of all, the web administration interface includes Google Analytics, a online solution that collects data about your online behavior and how you interact with an app or website. The collected data includes all the MAC addresses on your local network, which would be considered personal data under the General Data Protection Regulation (GDPR). It’s also a violation of Google Analytics’ own Terms of Service to collect this type of data on users through the service.
The web interface also includes a live chat support interface from a company called Intercom. The chat system lets you chat with Vilfo’s support staff. This sounds like a neat but pretty flawed idea. You’d most likely only want to chat with customer support when the network or your internet connection isn’t working. In these situations, the live-chat system would simply not be available.
Intercom also collects data about what you do inside the web administration panel, plus of course any information you type in to the chat system.
Shares diagnostic data (including passwords) with Intercom
You can choose to submit diagnostic data to Vilfo via the web administration interface. There is no notice in the web interface indicating that Vilfo will be able to contact you regarding your submitted diagnostic data, yet the data includes the email address you provided during the initial setup process.
The diagnostic data contains a dump of your router configuration that includes the MAC address of every device that have been observed on your network in the last four months plus behavioral data collected about each device, your email address, the password to your wireless network, and information about your VPN usage. This is waaay more information than Vilfo should be collecting let alone sharing with a third-party service provider.
Shares data about your browsing habits with OPVN Integritet
The Vilfo router and company is an offshoot from the Swedish VPN service provider OVPN Integritet. A DNS service is the system that turn domain names in to the actual Internet Protocol addresses computers use to talk to each other. OVPN Integritet offers a free DNS service to the public.
The Vilfo router by default uses DNS services from OVPN Integritet rather than picking them up from your network or Internet Service provider over a protocol called DHCP.
All of your devices asks OPVN Integritet about the addresses to every website you visit regardless of whether you use no VPN, their VPN service, or another VPN service entirely. Your DNS data includes a lot of potential personal data as well as behavioral data, if it were collected by the DNS server.
Leaks DNS outside the VPN
The router runs a caching DNS server (dnsmasq) which greatly helps improve DNS responsiveness. Every device on the network is auto-configured to use the router as their DNS server through DHCP.
The same DNS server is shared among all VPN connections. This means that all VPN connections end up using the same DNS responses. This causes issues for services like GeoDNS — geographically targeted DNS responses — as you’ll get the same response/location regardless of where in the world the tunneled connection appear. This reduces the router’s ability to bypass geographical restrictions, and probably lowers the device’s value to many potential customers.
The caching DNS server runs on the router itself. Vilfo doesn’t allow you to forward traffic originating on the router through a VPN. So all DNS lookups from all devices on your network will be routed outside the VPN connections; meaning they’ll be exposed unencrypted as originating from your IP address to your ISP and any other intermediaries. This effectively exposes information about which domains you visit over VPN.
Ouch. Continue to Part 4: Conclusions.