All iOS VPNs are worthless and Apple knows it, claims researcher

Posted:
in iOS edited July 2

A detailed new report says that a long-time bug in iOS prevents any VPN from fully encrypting all traffic -- and also claims that Apple has known about it and chosen to do nothing since discovery in 2020




The vulnerability was first discovered by VPN firm ProtonVPN in March 2020. At the time, the company said that when a VPN is switched on, the OS should terminate all internet connections and automatically re-establish them via the VPN to prevent unencrypted data leakage.

In iOS 13.3.1 and later versions, devices connecting with a VPN didn't close and re-open connections. Consequently, it was possible that a user would unknowingly in part continue to use the insecure connection they had before turning on the VPN.

"Those at highest risk because of this security flaw are people in countries where surveillance and civil rights abuses are common," said the company at that time.

Now Michael Horowitz, who describes himself as an independent computer consultant and blogger, says the vulnerability still exists. In a copiously illustrated 7,500 word post about the issue, Horowitz repeatedly found significant data leaks when using VPNs on iOS.

"It takes so little time and effort to re-create this, and the problem is so consistent, that if [Apple] tried at all, they should have been able to re-create it," he writes. "None of my business. Maybe they are hoping, that like ProtonVPN, I will just move on and drop it. Dunno."

In short, Horowitz looked at the data stream that was exiting the iPad while different VPNs were being used.

"At first, they appear to work fine," he writes. "But, over time, a detailed inspection of data leaving the iOS device shows that the VPN tunnel leaks."

"Data leaves the iOS device outside of the VPN tunnel," continues Horowitz. Using a newly-updated iPad and turning on a VPN, he recorded what he described as "another flood of requests... travelling outside the VPN tunnel."

Horowitz stopped after repeatedly documenting similar issues.

"I am simply interested in whether there is a problem, yes or no," he said. "I am not interested in fully defining/debugging the problem. That's for Apple."

Horowitz's detail includes his failed attempts to discuss the issue with Apple and the government's Cybersecurity and Infrastructure Security Agency (CISA).

"At this point, I see no reason to trust any VPN on iOS," he concludes. "My suggestion would be to make the VPN connection using VPN client software in a router, rather than on an iOS device."

Horowitz's research has concentrated on the use of third-party VPNs. He has not reported on whether there are any issues using Apple's Private Relay. Apple doesn't consider the Private Relay to have the same functionality as a full VPN, however. You can find a list of the cheapest VPN deals and our favorite VPN for iPhone picks in our dedicated roundups.



Read on AppleInsider

appleuseryeah
«13

Comments

  • Reply 1 of 43
    Apple cares more about adding moronic effects to Messages for children & older people who still behave like children than they do about providing a secure platform. They also care more about self-righteous posturing & fleecing third-party developers. Apple needs to grow up and b stop being morally bankrupt.
    beowulfschmidtxyzzy-xxxappleuseryeahCheeseFreezebyronlnapoleon_phoneapartwilliamlondonkkqd1337elijahggrandact73
  • Reply 2 of 43
    SMH…. Thanks Apple. 
    appleuseryeahscstrrfwilliamlondonelijahggrandact73
  • Reply 3 of 43
    rezwitsrezwits Posts: 900member
    Worthless? Doubt...  I have uses even tho they are not encrypted...
    appleuseryeahwatto_cobra
  • Reply 4 of 43
    hmlongcohmlongco Posts: 567member
    They also care more about self-righteous posturing & fleecing third-party developers. Apple needs to grow up and b stop being morally bankrupt.
    Developers need to realize that Apple provides a service, platform, and store on which they can sell their wares to over a billion people. They need to to grow up and stop expecting something for nothing.
    zeus423dougboarigilly33radarthekatmagman1979sireofsethscstrrfdoozydozentdknoxwilliamlondon
  • Reply 5 of 43
    hmlongcohmlongco Posts: 567member
    On the flip side, I use a VPN to get through a firewall and reach an encrypted service for a specific app. Some VPN's don't route all data through their tunnel. and in this case the VPN is far from "worthless".
    radarthekatmagman1979doozydozenwilliamlondondewmekillroyFileMakerFellerwatto_cobrajony0
  • Reply 6 of 43
    So basically turn on VPN and all new connections are encrypted, right? So if you need to make sure your connection is going through the VPN kill and restart the app? I wouldn’t call that useless.
    I mean, even if connecting the VPN were to cut old connections, you still have the issue of the VPN dying.
    it all depends on what you’re using the VPN for; I’m using it to access my home LAN away from home. For that purpose iOS’s VPN is fully functional.
    Now if you’re using it to shield your traffic from prying eyes, it’s a completely different story, and iOS’s implementation is definitely completely inadequate, but I think it’s more an issue of how it’s architectured. I’m willing to bet it’s far from the only platform having the problem.
    radarthekatkillroyFileMakerFellerwatto_cobrajony0
  • Reply 7 of 43
    DAalsethDAalseth Posts: 3,010member
    Let me know if I’m understanding this right;
    I’m on my iPad using Safari. Nothing is encrypted.
    I start a VPN. Then I start FireFox
    It sounds like the FireFox connection is encrypted, but Safari isn't?
    Or is there data leakage between FireFox and Safari?
    If I quit Safari and restart it, then it would be encrypted?
    (By implication might there be leakage between what is running through the tunnel, and any app that isn’t, Mail, iMessage, etc.)
    edited August 2022 gilly33byronlkillroyuraharawatto_cobra
  • Reply 8 of 43
    chaickachaicka Posts: 257member
    Interestingly, Microsoft Windows 10 behaves the same way. So what’s the big deal? Why not mention Microsoft too?  :p

    Not all VPNs have policies written in such a way that kills all connectivities and enforces all traffic (even those not targeted for other side of tunnel) through it. Still living in those 1990s VPN?
    gilly33foregoneconclusionmagman1979chadbagscstrrftdknoxkillroyFileMakerFelleruraharawatto_cobra
  • Reply 9 of 43
    larryjwlarryjw Posts: 1,036member

    Protocols supported

    These devices work with VPN servers that support the following protocols and authentication methods:

    • IKEv2/IPsec with authentication by shared secret, RSA Certificates, Elliptic Curve Digital Signature Algorithm (ECDSA) Certificates, EAP-MSCHAPv2, or EAP-TLS

    • SSL-VPN using the appropriate client app from the App Store

    • L2TP/IPsec with user authentication by MS-CHAPV2 password and machine authentication by shared secret (iOS, iPadOS, and macOS) and RSA SecurID or CRYPTOCard (macOS only)

    • Cisco IPsec with user authentication by password, RSA SecurID or CRYPTOCard, and machine authentication by shared secret and certificates (macOS only)

    This article mentions VPN generally. The above quote from Apple indicates the VPN protocols supported. I take this to imply there may be certain VPN apps for iOS, iPadOS and MacOS which may not fully protect communications. 
    foregoneconclusionsireofsethdoozydozenrezwitskillroyFileMakerFelleruraharajony0
  • Reply 10 of 43
    22july201322july2013 Posts: 3,719member
    Apple's Private Relay is a paid service that provides some similar functionality (not identical) to a VPN, so that may be the reason. I don't like the reason, but it's a reason.
    rezwitskillroywatto_cobraelijahg
  • Reply 11 of 43
    hmlongco said:
    They also care more about self-righteous posturing & fleecing third-party developers. Apple needs to grow up and b stop being morally bankrupt.
    Developers need to realize that Apple provides a service, platform, and store on which they can sell their wares to over a billion people. They need to to grow up and stop expecting something for nothing.
    You have to realize that statement is completely bananas, and several governments and experts feel the same way. They’ve outlined exactly why they think so in comprehensive reports, and they hold much more weight than your opinion which provides no real arguments or insights and lacks any form of expert knowledge.

    Also the above has nothing to do with the article, which is about a huge bug in VPN that affects people all around the world who feel safe but aren’t.
    byronlneoncatchadbagwilliamlondonwelshdogFileMakerFellerelijahg
  • Reply 12 of 43
    larryjw said:

    Protocols supported

    These devices work with VPN servers that support the following protocols and authentication methods:

    • IKEv2/IPsec with authentication by shared secret, RSA Certificates, Elliptic Curve Digital Signature Algorithm (ECDSA) Certificates, EAP-MSCHAPv2, or EAP-TLS

    • SSL-VPN using the appropriate client app from the App Store

    • L2TP/IPsec with user authentication by MS-CHAPV2 password and machine authentication by shared secret (iOS, iPadOS, and macOS) and RSA SecurID or CRYPTOCard (macOS only)

    • Cisco IPsec with user authentication by password, RSA SecurID or CRYPTOCard, and machine authentication by shared secret and certificates (macOS only)

    This article mentions VPN generally. The above quote from Apple indicates the VPN protocols supported. I take this to imply there may be certain VPN apps for iOS, iPadOS and MacOS which may not fully protect communications. 
    The article is about VPN and its various protocols in general. The protocols are irrelevant in this discussion.
    What is happening is that on an operating system level the VPN tunnel gets ignored for some data streams and is going through the regular ‘channels’. 
    That isn’t supposed to work like that. VPN turned on, regardless of the protocol, means no data should move outside the tunnel, which is very problematic.
    neoncatOfermuthuk_vanalingamwilliamlondonNoFliesOnMemac_dogy2anuraharaelijahg
  • Reply 13 of 43
    magman1979magman1979 Posts: 1,301member
    Obviously this idiot has never seen the exemption lists of MANY VPN clients, even those outside iOS ecosystem, such as Windows and macOS...

    Take Cisco AnyConnect, do you know how many domains are in the default tunnel exemption list that end users CANNOT modify?!?!

    The guy making these claims is so full of shit it's not even funny. I have yet to see ONE SINGLE COMMERCIAL VPN service that totally routes 100% of connections via the tunnel, except for my own OpenVPN server I run, which I have setup to route ALL traffic, and it actually does, even on iOS!
    sireofsethstrongylordjohnwhorfinwilliamlondonericthehalfbeerezwitskillroyFileMakerFellerNoFliesOnMemacplusplus
  • Reply 14 of 43
    larryjw said:

    Protocols supported

    These devices work with VPN servers that support the following protocols and authentication methods:

    • IKEv2/IPsec with authentication by shared secret, RSA Certificates, Elliptic Curve Digital Signature Algorithm (ECDSA) Certificates, EAP-MSCHAPv2, or EAP-TLS

    • SSL-VPN using the appropriate client app from the App Store

    • L2TP/IPsec with user authentication by MS-CHAPV2 password and machine authentication by shared secret (iOS, iPadOS, and macOS) and RSA SecurID or CRYPTOCard (macOS only)

    • Cisco IPsec with user authentication by password, RSA SecurID or CRYPTOCard, and machine authentication by shared secret and certificates (macOS only)

    This article mentions VPN generally. The above quote from Apple indicates the VPN protocols supported. I take this to imply there may be certain VPN apps for iOS, iPadOS and MacOS which may not fully protect communications. 
    The article is about VPN and its various protocols in general. The protocols are irrelevant in this discussion.
    What is happening is that on an operating system level the VPN tunnel gets ignored for some data streams and is going through the regular ‘channels’. 
    That isn’t supposed to work like that. VPN turned on, regardless of the protocol, means no data should move outside the tunnel, which is very problematic.
    That isn't entirely accurate. it's about VPN apps and not VPN in general. Horowitz is pretty clear that if you use the VPN set up in Settings or via device management then it works fine. The issue is limited to third party VPN apps. 
    sireofsethstrongychadbagtenthousandthingskillroyFileMakerFellerfreeassociate2watto_cobra
  • Reply 15 of 43
    neoncatneoncat Posts: 164member
    Apple Defense Force™ is flexing its muscles in this thread! God bless.
    muthuk_vanalingammulasienrezwitselijahgcrowley
  • Reply 16 of 43
    Apple takes privacy seriously, so hopefully they fix this. App review should also be looking for data leaks from VPN apps if it really offers the consumer protections Apple says it does.
    watto_cobra
  • Reply 17 of 43
    chadbagchadbag Posts: 2,024member
    Apple cares more about adding moronic effects to Messages for children & older people who still behave like children than they do about providing a secure platform. They also care more about self-righteous posturing & fleecing third-party developers. Apple needs to grow up and b stop being morally bankrupt.
    Lol.  SMH.   Lol.  
    williamlondonkillroywatto_cobrajony0
  • Reply 18 of 43
    Obviously this idiot has never seen the exemption lists of MANY VPN clients, even those outside iOS ecosystem, such as Windows and macOS...

    Take Cisco AnyConnect, do you know how many domains are in the default tunnel exemption list that end users CANNOT modify?!?!

    The guy making these claims is so full of shit it's not even funny. I have yet to see ONE SINGLE COMMERCIAL VPN service that totally routes 100% of connections via the tunnel, except for my own OpenVPN server I run, which I have setup to route ALL traffic, and it actually does, even on iOS!
    Split tunnel exceptions are just for VPNs (like Cisco AnyConnect or OpenVPN) that connect you to a home or work network. Consumer VPNs used for privacy should be sending all traffic. They should certainly be sending Gmail and DNS traffic which the author mentioned was bypassing the VPN for new connections.
    edited August 2022 muthuk_vanalingamFileMakerFellerelijahg
  • Reply 19 of 43
    22july201322july2013 Posts: 3,719member
    neoncat said:
    Apple Defense Force™ is flexing its muscles in this thread! God bless.
    Don't count me in that group today - I said I didn't like it.
  • Reply 20 of 43
    22july201322july2013 Posts: 3,719member
    Apple takes privacy seriously, so hopefully they fix this. App review should also be looking for data leaks from VPN apps if it really offers the consumer protections Apple says it does.
    What kind of leaks are you talking about here? VPNs have many vulnerabilities, not just apps which leak data. Do you really trust a single third party to handle all your private data? Do you even know which national governments have the right to issue warrants to get data from the VPN company's software to provide information from their users? I don't trust VPNs very much which is why I prefer using Apple's Private Relay, which addresses some of those vulnerabilities.
    edited August 2022 magman1979
Sign In or Register to comment.