Apple iOS 13.4 blocks VPNs from encrypting all traffic
A flaw means connections aren’t shut off when they’re supposed to be, and continue outside of the VPN tunnel
A security vulnerability in the latest version of Apple’s iOS software prevents third-party virtual private networks (VPNs) from encrypting all user traffic.
When a VPN is activated on a device, the operating system typically shuts off all existing connections and them re-establishes these through a VPN tunnel. Version 13.4 of Apple’s iOS, however, doesn’t close existing connections when connecting iPhones to a VPN. This is an issue first discovered in version 13.3.1.
This is an issue that affects some apps, but not all, because a wide swathe of connections are short-lived and are closed automatically, anyway.
Some connections, however, remain open for minutes or even hours, and will remain established outside of the VPN tunnel, according to researchers with ProtonVPN.
Apple’s push notifications, for example, fall into the latter category and maintain a long-running connection between the device and Apple servers. Any messaging apps or web beacons could also be affected, for example.
“The VPN bypass vulnerability could result in users’ data being exposed if the affected connections are not encrypted themselves (though this would be unusual nowadays),” ProtonVPN said.
“Those at highest risk because of this security flaw are people in countries where surveillance and civil rights abuses are common. Neither ProtonVPN nor any other VPN service can provide a workaround for this issue because iOS does not permit a VPN app to kill existing network connections.”
The developer added the most common problem is IP leaks, with attackers able to see users’ IP addresses and the IP address of the servers they’re connecting to. The server a user may connect to would also be able to see the true IP address, rather than that of the VPN server.
ProtonVPN used Wireshark to capture iOS device network traffic in order to establish proof for the vulnerability. They found direct traffic between the iOS device’s IP address and an external IP address that was not the VPN server, but Apple’s server instead.
Should the connection have been encrypted, they would have expected to see traffic only between the device’s IP and the VPN server or local IP addresses.
Apple has acknowledged the VPN bypass vulnerability and is looking into ways to mitigate the issue, according to the researchers