iOS 13 Bug Allows Internet Traffic to Bypass VPN Encryption
A security vulnerability in iOS 13.3.1 and later is preventing virtual private networks from encrypting all device traffic. This means that the primary purpose of using a VPN for most users is not properly working in iOS, which can lead to data leaks.
It has been a long list of bugs when it comes to iOS 13. Apple has released 11 updates so far for the operating system, both minor and major. This latest bug has been unpatched since the release of iOS 13.3.1, which was released in January. We are now on iOS 13.4, which was released a few days ago with new features and security fixes, and it also has the same security flaw.
The iOS security bug was discovered by ProtonVPN last year, after which they reported it to Apple. After the standard 90 days period, ProtonVPN has detailed the VPN bypass vulnerability to inform customers of the impact of this issue. This is an attempt by ProtonVPN to ensure that users mitigate risk by taking precautions when using a VPN on iOS.
Last year, we discovered a vulnerability in iOS that causes connections to bypass VPN encryption. This is a bug in iOS that impacts all VPNs. We have informed Apple, and we are now sharing details so you can stay safe. https://t.co/78v3Brispm
— ProtonVPN (@ProtonVPN) March 25, 2020
The primary reason for the issue is that when you connect to a VPN on iOS, it does not terminate all existing Internet connections to reconnect them via the VPN tunnel. It allows most existing Internet connections to continue to remain connected outside of the VPN tunnel. This connection can remain live outside of the VPN tunnel for a few minutes to many hours.
ProtonVPN demonstrated this issue by using Wireshark app to monitor traffic from an iOS device. After connecting to a VPN, the source IP address should always show the device’s IP address, while the destination IP address should belong to the VPN server. However, ProtonVPN showed that the destination IP address also showed external IP addresses. In their example, they showed that connections to Apple’s push notification server were still active outside of the VPN tunnel.
As a workaround, ProtonVPN recommends the following steps, however, they are not guaranteed to always work:
- Connect to any ProtonVPN server.
- Turn on airplane mode. This will kill all Internet connections and temporarily disconnect ProtonVPN.
- Turn off airplane mode.ProtonVPN will reconnect, and your other connections should also reconnect inside the VPN tunnel, though we cannot guarantee this 100%.
Apple has recommended that users use always-on VPN to mitigate the issue, but this is not possible for all VPN users and services.
It is unclear when Apple will patch this issue, as it has been over 3 months since it was brought to the company’s attention. Until then, be extra careful when using a VPN on iOS or iPadOS.