Artificial truth

The more you see, the less you believe.

[archives] [latest] | [homepage] | [atom/rss/twitter]

Malwarebytes' privacy VPN is Mullvad in a shady trenchcoat
Sun 10 October 2021 — download

Malwarebytes' logo with mullvad's one behind it

Last year, Malwarebytes launched a VPN service: Malwarebytes privacy:

[…] we've developed our own VPN that Malwarebytes users can trust to protect your data and privacy every time you go online. To that end, we proudly present: Malwarebytes Privacy. Most importantly, Malwarebytes Privacy does not collect user logs or telemetry data whatsoever. Your data remains private—even from us. As an added bonus, with over 180 servers in more than 30 countries, our VPN offers users the potential to view different, localized content around the Internet.

Techradar even said "This could be the most secure VPN around today".

Except that Malwarebytes Privacy is just some paint on top of Mullvad and various open-source tools, which would be a parasitic albeit fine behaviour if this was clearly disclosed (as Mullvad is (amusingly) doing on its website), but there is no mention of this whatsoever on Malwarebytes' one. Worse, they're using a possessive voice when talking about the servers (that are Mullvad's) and the code (mostly Wintun and wireguard-windows amongst other, to which they didn't contribute back a single line of code).

Speaking of code, it's shipping

Most of the embedded dependencies are from 2018, and subject to documented vulnerabilities:

It's also shipping its own kernel driver that really should get an audit. It's not as if writing a network-facing cryptographic-performing kernel-running driver was something horribly difficult in every way. Just check the documentation of the official Wireguard implementation for Windows for a glimpse into the amount of care and complexity involved.

At least the Mullvad app's code is public, and released under GPL.

While Mullvad privacy policy is ok-ish, Malwarebytes' one (archive) is more, … nuanced:

  • It's operating under the EU Privacy Shield (declared illegal by the ECJ in July 2020)
  • Malwarebytes will "retain and use your personal information as necessary to comply with our business requirements, legal obligations, resolve disputes, protect our assets, and enforce our agreements. Because these needs can vary for different data types in the context of different products or services, actual retention periods can vary significantly.", without giving more details.
  • The privacy policy might also change, but you'll be notified via "email or other notification".
  • It's violating the GDPR in an explicit "lol fuck you" way: "Your personal information may be transferred to, and maintained on, computers located outside of your state, province, country, or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction. If you are located outside the United States and choose to provide your personal information to us, we may transfer your personal information to the United States and process it there."
  • Malwarebytes is collecting a ton of data via its different products, without distinguishing between them:
    • A location item indicating the continent, country, city, and approximate latitude/ longitude of the user based on your IP address
    • The type of connection (dialup/broadband/satellite/mobile)
    • The ISP through which the connection is made
    • The organization to which the IP address is licensed, if any
    • "we may need to collect system processes and behaviors in order to perform system rollback and recovery operations."
    • The operating system the program is installed on
    • The system language in use on that system
    • The processor architecture (i.e., 32- or 64-bit)
    • The file system in use (i.e., FAT32)
    • Information from the Windows Security/Action Center, including security settings and programs installed or in use
    • Information about other Malwarebytes program settings and how they are configured
    • Information about how you use our software or services ("Log Data")

And collecting data they do, if only for licensing purposes, as quick look at LicenseControllerImpl.dll can tell us.

With things like interesting WMI queries:

0x180328270  SELECT Index, MACAddress, Name FROM Win32_NetworkAdapter where AdapterTypeId=0
0x1803282F8  SELECT SerialNumber FROM Win32_BIOS
0x180328320  SELECT UUID FROM Win32_ComputerSystemProduct
0x1803283E0  SELECT processorID FROM win32_processor
0x180328598  SELECT Signature FROM Win32_DiskDrive WHERE Index=%u
0x1803287F0  SELECT serialNumber FROM Win32_PhysicalMemory
0x180328870  SELECT SerialNumber FROM Win32_DiskDrive WHERE Index=%u

as well as virtual environment detection in 0x18006DCE0. There is also some traces of Connectwise code, likely to manage the licenses, supporting some old-school crypto like MD5 and SHA1 with a home-brewed certificate validation.

tl;dr You'd be better off using Mullvad directly: it's the same price, without invasive telemetry and useless risky sugarcoating on top of it.

Bonus: Malwarebytes cares a lot about your privacy and consent, this is likely why, on every webpages of malwarebytes.com, a phony gif (https://genesis.malwarebytes.com/api/v1/wai.gif) returning JSON for fingerprinting purposes is sneakily loaded.