Debunking Surfshark, an ‘independently audited VPN’ or is it?
Surfshark, a new and upcoming VPN, has entered the market with big claims. Based in the British Virgin Islands, Surfshark claims to be one of the few independently audited VPNs (in fact this is one of their selling points — see below) but how important is this audit?
Simply, it isn’t. We know it isn’t important because in the auditor report we can see that the scope was so little that it is more of a PR stunt than it is guarantees of security.
After spending less than 5 minutes reading the minuscule audit report, which even with its limited scope was able to find two vulnerabilities, it became apparent that Surfshark isn’t a new and upcoming VPN with a focus of being transparent but rather a VPN aimed at marketing their ‘independently audited’ sticker left, right and centre.
So what’s the problem, exactly?
Glad you asked. Surfshark has been audited, but not in the way you’d expect. The audit was of an extremely limited scope, that being their Chrome Browser Extension and Mozilla Firefox Extension. Now to most people this isn’t a problem, but let’s delve deeper.
Surfshark offers its VPN services through multiple products including the two audited products, the Firefox and Chrome extensions. In addition to to the two browser extensions. Surfshark offers customers access to their network through desktop applications (Windows, Linux & MacOS), Mobile Applications (iOS & Android), Smart TVs (FireTV and AppleTV to name a few), Game Consoles (Playstation and Xbox) as well as two browser extensions. The latter being the only service audited.
This is where things get fishy.
Surfshark did not allow the auditors infrastructure or backend access, so although the browser extensions are believed to be ‘safe’, this accreditation only extends to the code that runs locally on your machine. It doesn’t, and this is extremely important, validate the security and encryption of your connection, the best practices used by Surfshark or how secure their infrastructure is. Additionally use of any other platforms, other than the two browser extensions, have not been audited.
In summary, running the Surfshark VPN is like connecting to a blackhole. Not even the independent security auditors know how secure your data is, and this should worry you.
Using any of their other platforms should be a cause for concern. These products have not been validated, and there is no way to ensure that the code locally running on your computer, TV or game console is trustworthy. There is no way to know if they are using https:// instead of http:// (which they failed to do in their own browser extensions — read the report here).
Doesn’t sound good, but they are in the British Virgin Islands and they don’t log — so I’m ok, right?
I hate to tell you but no — this doesn’t really change things. Having previously worked with organisations heavily using RIPA, I’ve seen both sides of the table. The British Virgin Islands is sovereign territory of Great Britain where RIPA has been enacted. There are cases of pressure being exerted by British authorities to that of sovereign territories to cooperate with English law. However RIPA has yet to be used in this way, although given the right circumstances — I do not hesitate for one second to doubt that HM Gov’t will use their powers to pressure BVI.
The summary
Trust but verify. These are gospel words around Info/Cyber Sec researchers. We know that many organisations, people and Governments will make great and grand claims which we must trust, but where you can you should verify.
In this case, I spent some time researching Surfshark, and was made aware of them through the ever increasing social media advertising tactics. Companies like Surfshark prey on security conscious individuals with interesting claims, in fact Tom Scott (an extremely interesting guy) made a video on this exact topic.
I would never say to not use Surfshark, because after reading this I believe that you would be making an educated decision should you wish to use it. However, I do not recommend it — not until they extend their audit further.
Connor, Cyber Security/Terrorism Researcher & Consultant
Get in touch with me, or learn more here.
