Apple iOS 13.4 blocks VPNs from encrypting all traffic

A flaw means connections aren’t shut off when they’re supposed to be, and continue outside of the VPN tunnel

A security vulnerability in the latest version of Apple’s iOS software prevents third-party virtual private networks (VPNs) from encrypting all user traffic.

When a VPN is activated on a device, the operating system typically shuts off all existing connections and them re-establishes these through a VPN tunnel. Version 13.4 of Apple’s iOS, however, doesn’t close existing connections when connecting iPhones to a VPN. This is an issue first discovered in version 13.3.1.

This is an issue that affects some apps, but not all, because a wide swathe of connections are short-lived and are closed automatically, anyway. 

Some connections, however, remain open for minutes or even hours, and will remain established outside of the VPN tunnel, according to researchers with ProtonVPN.

Apple’s push notifications, for example, fall into the latter category and maintain a long-running connection between the device and Apple servers. Any messaging apps or web beacons could also be affected, for example.

“The VPN bypass vulnerability could result in users’ data being exposed if the affected connections are not encrypted themselves (though this would be unusual nowadays),” ProtonVPN said.

“Those at highest risk because of this security flaw are people in countries where surveillance and civil rights abuses are common. Neither ProtonVPN nor any other VPN service can provide a workaround for this issue because iOS does not permit a VPN app to kill existing network connections.”

The developer added the most common problem is IP leaks, with attackers able to see users’ IP addresses and the IP address of the servers they’re connecting to. The server a user may connect to would also be able to see the true IP address, rather than that of the VPN server.

ProtonVPN used Wireshark to capture iOS device network traffic in order to establish proof for the vulnerability. They found direct traffic between the iOS device’s IP address and an external IP address that was not the VPN server, but Apple’s server instead. 

Should the connection have been encrypted, they would have expected to see traffic only between the device’s IP and the VPN server or local IP addresses.

Apple has acknowledged the VPN bypass vulnerability and is looking into ways to mitigate the issue, according to the researchers

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
University of Hertfordshire's entire IT system offline after cyber attack
cyber attacks

University of Hertfordshire's entire IT system offline after cyber attack

15 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021