iOS bug prevents VPN apps from encrypting all traffic

Posted:
in General Discussion edited March 2020
An unpatched bug present in iOS 13.3.1 and later could keep a virtual private network (VPN) from fully encrypting all traffic, leaving data and IP addresses exposed.

The vulnerability, disclosed by a ProtonVPN user, impacts all VPN services on recent versions of iOS
The vulnerability, disclosed by a ProtonVPN user, impacts all VPN services on recent versions of iOS


VPNs work by routing your internet traffic through a secure tunnel, keeping your browsing activity both private and encrypted. Apple's mobile devices, like iPhone and iPad, have long supported both employer-issued VPNs and third-party options available on the App Store.

But a security vulnerability disclosed by ProtonVPN and shared with Bleeping Computer could keep VPNs on iOS and iPadOS from working properly, potentially leading to data leaks.

Impacted versions of iOS, including the latest iOS 13.4, fail to close existing internet connections when a user connects to a VPN. Typically, when opening a VPN, the OS terminates all previous connections and automatically reestablishes links to original destination servers through the VPN tunnel. That process is not occurring in recent versions of iOS.

Instead, iOS keeps some existing connections alive outside of the VPN tunnel, where data isn't encrypted. These connections, which can remain open for minutes or hours, could potentially reveal a user's location, leak their IP address, or expose them and the servers they're communicating with to attack.

Normally, those risks are fairly benign for the average user, but ProtonVPN explains that the people who rely on VPNs the most may be vulnerable to the direst consequences.

"Those at highest risk because of this security flaw are people in countries where surveillance and civil rights abuses are common," the company writes.

ProtonVPN offers Apple's push notifications, whose connections to Apple's servers aren't terminated when connecting to a VPN, as an example. But the VPN maker notes that the bug can affect any app running on a user's device.

The bug cannot be fixed by a third-party VPN app, since Apple's tight sandboxing restrictions on iOS prevent them from terminating existing connections.

According to Bleeping Computer, Apple is aware of the issue and is currently working on mitigating it. While Apple recommends users enable Always-on VPN, that feature won't work for those who use third-party VPN apps.

Until Apple issues a fix, ProtonVPN recommends enabling and disabling Airplane Mode to manually kill connections after connecting to a VPN. The VPN maker warns that the workaround isn't 100% effective, however.

The VPN bypass vulnerability was first discovered in 2019 by a security researcher who is part of the Proton community. Along with ProtonVPN, Swiss-based security company Proton is well-known for their privacy-focused email client, ProtonMail.

Comments

  • Reply 1 of 15
    And yet sometimes you want to keep the established connections intact and use the VPN only for a single task (like, say, checking work email that is normally hidden behind a firewall). I'm not the only one who dreams of being able to route traffic from a subset of apps through a different network interface; currently the options are to use a VM or have devices managed via MDM. I wouldn't necessarily classify this as a bug.
    chasm
  • Reply 2 of 15
    I always keep my VPN on, nice to know it’s only kind of working. 
  • Reply 3 of 15
    This is only true for some kinds of VPN configuration (and its been around forever). If you set up with per-app VPN or the whole device always on VPN, this doesn't apply - in both of those cases if the VPN isn't up, the device thinks there's no network. Its only manual/on-demand configurations where its an issue.
    chasm
  • Reply 4 of 15
    cgWerkscgWerks Posts: 2,952member
    And yet sometimes you want to keep the established connections intact and use the VPN only for a single task (like, say, checking work email that is normally hidden behind a firewall). I'm not the only one who dreams of being able to route traffic from a subset of apps through a different network interface; currently the options are to use a VM or have devices managed via MDM. I wouldn't necessarily classify this as a bug.
    Yeah, it would be nice to be able to choose which way the VPN should work. If all the data is going over the VPN, I would think for people in danger could be more easily identified.

    The other thing I don't like is that while you're trying to establish a VPN connection, your device has already probably communicated with all your major accounts over the unsecured network (ie. coffee shop, airport, etc.).
  • Reply 5 of 15
    I always keep my VPN on, nice to know it’s only kind of working. 
    If you read the article you’d see that if you actually do keep it on all the time, you wouldn’t actually be affected.  
    chasm
  • Reply 6 of 15
    Apple...

    You’re so embarrassingly incompetent sometimes...
  • Reply 7 of 15
    oseameoseame Posts: 73member
    I noticed with L2TP VPN on my Mac, my IP didn't change when connected despite choosing to route all traffic through the VPN. But it does if I change the service order of network connections so that the VPN is first. I could have sworn it didn't used to be that way?
  • Reply 8 of 15
    igorskyigorsky Posts: 774member
    Apple...

    You’re so embarrassingly incompetent sometimes...
    Technology is hard. I understand they're a massive corporation and we'd like for everything to be perfect. But to have this kind of reaction to bugs in ultra-complex software is a little nutty.
    edited March 2020 jony0chasm
  • Reply 9 of 15
    cpsrocpsro Posts: 3,232member
    This should be user-configurable.
  • Reply 10 of 15
    boboliciousbobolicious Posts: 1,170member
    This may be of interest to some: www.washingtonpost.com/technology/2019/05/28/its-middle-night-do-you-know-who-your-iphone-is-talking/
  • Reply 11 of 15
    cgWerkscgWerks Posts: 2,952member
    This may be of interest to some: www.washingtonpost.com/technology/2019/05/28/its-middle-night-do-you-know-who-your-iphone-is-talking/
    And... Apple says you shouldn't quit apps when you're not using them. Yet another reason (and, a great reason just not to install a good bunch of them).
  • Reply 12 of 15
    chasmchasm Posts: 3,571member
    cpsro said:
    This should be user-configurable.
    It is user-configurable. You, the user, should start your VPN first if you want all connections to pass through it. If you already have some connections open, then you -- the user -- should put the device into Airplane Mode for a short time, open the VPN, and then turn off Airplane Mode.

    I agree that it's not actually a bug, just a minor inconvenience for the few users that alternate between non-VPN and VPN connections.
  • Reply 13 of 15
    cgWerkscgWerks Posts: 2,952member
    chasm said:
    It is user-configurable. You, the user, should start your VPN first if you want all connections to pass through it. If you already have some connections open, then you -- the user -- should put the device into Airplane Mode for a short time, open the VPN, and then turn off Airplane Mode.

    I agree that it's not actually a bug, just a minor inconvenience for the few users that alternate between non-VPN and VPN connections.
    OK, so you land at the airport or arrive at the coffee shop... how do you 'start your VPN' before many of the automatic connections pass through it? Once your device sees an internet connection, it starts communicating, God forbid you have to ALSO do one of those website-based Internet authorization things first.

    Also - maybe I'm misunderstanding Airplane Mode - but would the VPN connect with Airplane Mode on?

    Minor inconvenience for the few users? Don't most people use VPNs like that?
  • Reply 14 of 15
    jbdragonjbdragon Posts: 2,312member
    Is this really a bug? Or is this a hidden Apple feature that has now gotten leaked?
  • Reply 15 of 15
    “I feel that people need to learn about the expected behaviour of VPNs before commenting.
    There’s actually two types on iOS. Split vpn and full tunnel. Split allows some stuff to be routed elsewhere. Full tunnel tunnels everything.“

    Finally some one that understands that this is not a vulnerability but expected behavior. Split tunnel is the most compatible with most apps and full tunnel will causes issues with some applications due to latency Siri will time out or notifications will come through few seconds later. Encrypted DNS servers also work through split and full tunnel. It’s up to user to decide if given the option. But some experts believe that split tunnel is less secure. The point is it’s not a vulnerability and no fix is coming.
    edited January 2023
Sign In or Register to comment.