Mike Peterson
An unpatched bug present in iOS 13.3.1 and later could keep a virtual private network (VPN) from fully encrypting all traffic, leaving data and IP addresses exposed.
VPNs work by routing your internet traffic through a secure tunnel, keeping your browsing activity both private and encrypted. Apple's mobile devices, like iPhone and iPad, have long supported both employer-issued VPNs and third-party options available on the App Store.
But a security vulnerability disclosed by ProtonVPN and shared with Bleeping Computer could keep VPNs on iOS and iPadOS from working properly, potentially leading to data leaks.
Impacted versions of iOS, including the latest iOS 13.4, fail to close existing internet connections when a user connects to a VPN. Typically, when opening a VPN, the OS terminates all previous connections and automatically reestablishes links to original destination servers through the VPN tunnel. That process is not occurring in recent versions of iOS.
Instead, iOS keeps some existing connections alive outside of the VPN tunnel, where data isn't encrypted. These connections, which can remain open for minutes or hours, could potentially reveal a user's location, leak their IP address, or expose them and the servers they're communicating with to attack.
Normally, those risks are fairly benign for the average user, but ProtonVPN explains that the people who rely on VPNs the most may be vulnerable to the direst consequences.
"Those at highest risk because of this security flaw are people in countries where surveillance and civil rights abuses are common," the company writes.
ProtonVPN offers Apple's push notifications, whose connections to Apple's servers aren't terminated when connecting to a VPN, as an example. But the VPN maker notes that the bug can affect any app running on a user's device.
The bug cannot be fixed by a third-party VPN app, since Apple's tight sandboxing restrictions on iOS prevent them from terminating existing connections.
According to Bleeping Computer, Apple is aware of the issue and is currently working on mitigating it. While Apple recommends users enable Always-on VPN, that feature won't work for those who use third-party VPN apps.
Until Apple issues a fix, ProtonVPN recommends enabling and disabling Airplane Mode to manually kill connections after connecting to a VPN. The VPN maker warns that the workaround isn't 100% effective, however.
The VPN bypass vulnerability was first discovered in 2019 by a security researcher who is part of the Proton community. Along with ProtonVPN, Swiss-based security company Proton is well-known for their privacy-focused email client, ProtonMail.
William Gallagher
Christine McKee
AppleInsider Staff
Chip Loder
Malcolm Owen
15 Comments
And yet sometimes you want to keep the established connections intact and use the VPN only for a single task (like, say, checking work email that is normally hidden behind a firewall). I'm not the only one who dreams of being able to route traffic from a subset of apps through a different network interface; currently the options are to use a VM or have devices managed via MDM. I wouldn't necessarily classify this as a bug.
I always keep my VPN on, nice to know it’s only kind of working.
This is only true for some kinds of VPN configuration (and its been around forever). If you set up with per-app VPN or the whole device always on VPN, this doesn't apply - in both of those cases if the VPN isn't up, the device thinks there's no network. Its only manual/on-demand configurations where its an issue.