Using Freedome securely / False marketing claims
I already tried to contact the support about this, but I was told that I should make a topic on the forums. I told customer service that it's about vulnerability in the product (by design though) but they still advised me to use the forums.
So, one day I tried to connect securely to an open Wi-Fi network by activating Freedome for Windows (10) while on mobile network, and then switched to unsecured Wi-Fi. To my surprise, Freedome disconnected and during reconnecting (on that network it took like 2 minutes) all my traffic was sent directly via the unsecured Wi-Fi connection - that means if anybody was listening, they saw all that traffic.
The Freedome marketing website claims that Freedome "shields you on public Wi-Fi – your data is protected even in vulnerable unsecured hotspots" and "With the push of a button, Freedome gives you your own private network, blocking bad apps and harmful sites." These claims are completely unfounded if the protection can suddenly turn off any time.
Especially a vulnerable unsecured hotspot could easily exploit this feature. Because this is a public forum, I won't discuss the details for now. Anybody who knows something about internet protocols could come up with a couple of techniques, though.
I also want to make clear that I'm not exposing anything new. There exists a discussion on these forums where an F-Secure staff member tells that this is Freedome working as intended, and blocking traffic while disconnected from VPN is a feature that is "considered".
Another thing: while Freedome tries to connect to VPN server, it tells user that they are "protected", even though they're not since it hasn't connected yet. This is also extremely misleading.
At least in Finland, it is illegal to market a product with false claims, and I think that is the case here. You are also undermining your own credibility as security professionals by marketing your product with outrageous lies. It's like if you sold electronic locks which opened when mains are cut off.
Comments
-
Yes, a kill switch would be nice. I suggested this back in 04/2015. Probably many others have before/after me done so too. Some vpn providers offer this functionality with their software, not sure why f-secure doesn't;
"10.. Do you provide tools such as “kill switches” if a connection drops and DNS leak protection?"
https://torrentfreak.com/anonymous-vpn-service-provider-review-2015-150228/
-
Hello alpacat,
Good day to you and welcome to our F-Secure Community!
My name is Calvin, and I’m the primary contact for security vulnerabilities concerning F-Secure’s products and services.
We would like to thank you for bringing this issue to our attention and would also like to inform you that our Freedome development team has been contacted regarding this. The team is currently investigating the reported issue and we will get back to you as soon as we have an update. At the same time, if you have additional information which you would like to share with us, kindly email us at security@f-secure.com with the details and we can communicate from there.
Rest assured that our objective is to protect our users privacy and we take these reports with priority.
Should you have further information or questions, kindly include them in your responses to security@f-secure.com. Thank you for your cooperation!
Best regards,
Calvin Gan
F-Secure Security Vulnerability Expert
