We work hard to make Vilfo the best VPN router ever created. Security and privacy are a huge part of that.
We believe that security audits should be performed by a third-party as it’s impossible to find all issues in-house. We had read some of the previous articles written by ctrl.blog and appreciated his thorough and critical work and thus decided to send him a prototype.
We don't agree on all his statements and conclusions - but we agree that he found several areas where the security and privacy of Vilfo could be improved. We have already been able to fix most of those areas:
- Removing passwords when submitting diagnostics
- Diagnostics are stored on a private Vilfo server rather than being submitted to Intercom
- Diagnostics are automatically purged
- MAC addresses have been replaced with local IP addresses in URIs (eg. 192.168.0.12)
- Devices use the DNS servers pushed by the VPN server and DNS lookups are routed through the VPN tunnel
- Removed OVPN.com's DNS servers as default. Vilfo now uses the ISP's standard DNS servers unless manually changed
- Re-organized setup flow so first step is setting a wifi password
We are working on:
- Adding HTTPS support
- Potentially adding a password prompt for when connecting a screen to Vilfo. Before this, we need to resolve a physical manner to factory reset the unit.
The Ubus API in LEDE is designed in such a way that it requires access to the credentials of a superuser in order to make API requests. Regardless if this password is stored in a database with an encrypted key the password could be decrypted with physical access to the device. We are looking for other solutions, but physical tampering is a concern that applies to all devices and is not exclusive to Vilfo.
During the development process we received a lot of feedback and understood the importance and value of being able to get insights and data to replicate users problems. Eventually, we made the decision that user experience would improve by integrating a robust support system directly into the Vilfo interface to quickly guide users and address any questions or concerns they may have.
On top of integrating Intercom directly into the user interface, we integrated Google Analytics to understand which areas need further development, and to properly understand how Vilfo is used.
Intercom & Google Analytics are used to better know where to focus development, make meaningful improvements, and improve user experience. This is how we have managed to improve the software since November together with our beta testers.
With this said we've tried our best to ensure that what's shared with Analytics is not sensitive or intrusive. Obviously we made a mistake when it comes to the MAC addresses in URLs, which is why we appreciate ctrl.blog found and reported this issue.
We do reckon that not everyone wishes to have Intercom & Google Analytics included, and we now therefore allow users to disable them.
We are very glad with our decision to send a prototype to ctrl.blog, as it resulted in a better and safer product.