All iOS VPNs are worthless and Apple knows it, claims researcher
A detailed new report says that a long-time bug in iOS prevents any VPN from fully encrypting all traffic -- and also claims that Apple has known about it and chosen to do nothing since discovery in 2020
The vulnerability was first discovered by VPN firm ProtonVPN in March 2020. At the time, the company said that when a VPN is switched on, the OS should terminate all internet connections and automatically re-establish them via the VPN to prevent unencrypted data leakage.
In iOS 13.3.1 and later versions, devices connecting with a VPN didn't close and re-open connections. Consequently, it was possible that a user would unknowingly in part continue to use the insecure connection they had before turning on the VPN.
"Those at highest risk because of this security flaw are people in countries where surveillance and civil rights abuses are common," said the company at that time.
Now Michael Horowitz, who describes himself as an independent computer consultant and blogger, says the vulnerability still exists. In a copiously illustrated 7,500 word post about the issue, Horowitz repeatedly found significant data leaks when using VPNs on iOS.
"It takes so little time and effort to re-create this, and the problem is so consistent, that if [Apple] tried at all, they should have been able to re-create it," he writes. "None of my business. Maybe they are hoping, that like ProtonVPN, I will just move on and drop it. Dunno."
In short, Horowitz looked at the data stream that was exiting the iPad while different VPNs were being used.
"At first, they appear to work fine," he writes. "But, over time, a detailed inspection of data leaving the iOS device shows that the VPN tunnel leaks."
"Data leaves the iOS device outside of the VPN tunnel," continues Horowitz. Using a newly-updated iPad and turning on a VPN, he recorded what he described as "another flood of requests... travelling outside the VPN tunnel."
Horowitz stopped after repeatedly documenting similar issues.
"I am simply interested in whether there is a problem, yes or no," he said. "I am not interested in fully defining/debugging the problem. That's for Apple."
Horowitz's detail includes his failed attempts to discuss the issue with Apple and the government's Cybersecurity and Infrastructure Security Agency (CISA).
"At this point, I see no reason to trust any VPN on iOS," he concludes. "My suggestion would be to make the VPN connection using VPN client software in a router, rather than on an iOS device."
Horowitz's research has concentrated on the use of third-party VPNs. He has not reported on whether there are any issues using Apple's Private Relay. Apple doesn't consider the Private Relay to have the same functionality as a full VPN, however. You can find a list of the cheapest VPN deals and our favorite VPN for iPhone picks in our dedicated roundups.
Read on AppleInsider
Comments
I mean, even if connecting the VPN were to cut old connections, you still have the issue of the VPN dying.
it all depends on what you’re using the VPN for; I’m using it to access my home LAN away from home. For that purpose iOS’s VPN is fully functional.
Now if you’re using it to shield your traffic from prying eyes, it’s a completely different story, and iOS’s implementation is definitely completely inadequate, but I think it’s more an issue of how it’s architectured. I’m willing to bet it’s far from the only platform having the problem.
I’m on my iPad using Safari. Nothing is encrypted.
I start a VPN. Then I start FireFox
It sounds like the FireFox connection is encrypted, but Safari isn't?
Or is there data leakage between FireFox and Safari?
If I quit Safari and restart it, then it would be encrypted?
(By implication might there be leakage between what is running through the tunnel, and any app that isn’t, Mail, iMessage, etc.)
Not all VPNs have policies written in such a way that kills all connectivities and enforces all traffic (even those not targeted for other side of tunnel) through it. Still living in those 1990s VPN?
Protocols supported
These devices work with VPN servers that support the following protocols and authentication methods:
IKEv2/IPsec with authentication by shared secret, RSA Certificates, Elliptic Curve Digital Signature Algorithm (ECDSA) Certificates, EAP-MSCHAPv2, or EAP-TLS
SSL-VPN using the appropriate client app from the App Store
L2TP/IPsec with user authentication by MS-CHAPV2 password and machine authentication by shared secret (iOS, iPadOS, and macOS) and RSA SecurID or CRYPTOCard (macOS only)
Cisco IPsec with user authentication by password, RSA SecurID or CRYPTOCard, and machine authentication by shared secret and certificates (macOS only)
Also the above has nothing to do with the article, which is about a huge bug in VPN that affects people all around the world who feel safe but aren’t.
What is happening is that on an operating system level the VPN tunnel gets ignored for some data streams and is going through the regular ‘channels’.
Take Cisco AnyConnect, do you know how many domains are in the default tunnel exemption list that end users CANNOT modify?!?!
The guy making these claims is so full of shit it's not even funny. I have yet to see ONE SINGLE COMMERCIAL VPN service that totally routes 100% of connections via the tunnel, except for my own OpenVPN server I run, which I have setup to route ALL traffic, and it actually does, even on iOS!