Apple iOS 13.4 blocks VPNs from encrypting all traffic

A flaw means connections aren’t shut off when they’re supposed to be, and continue outside of the VPN tunnel

A security vulnerability in the latest version of Apple’s iOS software prevents third-party virtual private networks (VPNs) from encrypting all user traffic.

When a VPN is activated on a device, the operating system typically shuts off all existing connections and them re-establishes these through a VPN tunnel. Version 13.4 of Apple’s iOS, however, doesn’t close existing connections when connecting iPhones to a VPN. This is an issue first discovered in version 13.3.1.

Advertisement - Article continues below

This is an issue that affects some apps, but not all, because a wide swathe of connections are short-lived and are closed automatically, anyway. 

Some connections, however, remain open for minutes or even hours, and will remain established outside of the VPN tunnel, according to researchers with ProtonVPN.

Apple’s push notifications, for example, fall into the latter category and maintain a long-running connection between the device and Apple servers. Any messaging apps or web beacons could also be affected, for example.

“The VPN bypass vulnerability could result in users’ data being exposed if the affected connections are not encrypted themselves (though this would be unusual nowadays),” ProtonVPN said.

“Those at highest risk because of this security flaw are people in countries where surveillance and civil rights abuses are common. Neither ProtonVPN nor any other VPN service can provide a workaround for this issue because iOS does not permit a VPN app to kill existing network connections.”

Advertisement - Article continues below
Advertisement - Article continues below

The developer added the most common problem is IP leaks, with attackers able to see users’ IP addresses and the IP address of the servers they’re connecting to. The server a user may connect to would also be able to see the true IP address, rather than that of the VPN server.

ProtonVPN used Wireshark to capture iOS device network traffic in order to establish proof for the vulnerability. They found direct traffic between the iOS device’s IP address and an external IP address that was not the VPN server, but Apple’s server instead. 

Should the connection have been encrypted, they would have expected to see traffic only between the device’s IP and the VPN server or local IP addresses.

Apple has acknowledged the VPN bypass vulnerability and is looking into ways to mitigate the issue, according to the researchers

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now

Most Popular

Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020
data breaches

EasyJet faces class-action lawsuit over data breach

26 May 2020
cyber security

Microsoft bans Trend Micro driver from Windows 10 for "cheating" hardware tests

27 May 2020