iOS 13 Bug Allows Internet Traffic to Bypass VPN Encryption

Mar 27, 2020
Submit

A security vulnerability in iOS 13.3.1 and later is preventing virtual private networks from encrypting all device traffic. This means that the primary purpose of using a VPN for most users is not properly working in iOS, which can lead to data leaks.

It has been a long list of bugs when it comes to iOS 13. Apple has released 11 updates so far for the operating system, both minor and major. This latest bug has been unpatched since the release of iOS 13.3.1, which was released in January. We are now on iOS 13.4, which was released a few days ago with new features and security fixes, and it also has the same security flaw.

MSI & EKWB Unveil The MPG Z490 CARBON EK X – A Motherboard With A Waterblock For Only $400

The iOS security bug was discovered by ProtonVPN last year, after which they reported it to Apple. After the standard 90 days period, ProtonVPN has detailed the VPN bypass vulnerability to inform customers of the impact of this issue. This is an attempt by ProtonVPN to ensure that users mitigate risk by taking precautions when using a VPN on iOS.

The primary reason for the issue is that when you connect to a VPN on iOS, it does not terminate all existing Internet connections to reconnect them via the VPN tunnel. It allows most existing Internet connections to continue to remain connected outside of the VPN tunnel. This connection can remain live outside of the VPN tunnel for a few minutes to many hours.

ProtonVPN demonstrated this issue by using Wireshark app to monitor traffic from an iOS device. After connecting to a VPN, the source IP address should always show the device’s IP address, while the destination IP address should belong to the VPN server. However, ProtonVPN showed that the destination IP address also showed external IP addresses. In their example, they showed that connections to Apple’s push notification server were still active outside of the VPN tunnel.

iOS 13 VPN Bug

Software Sale: Windows 10 PRO Global Authorized OEM Keys, Microsoft Office From $11.66 and More

As a workaround, ProtonVPN recommends the following steps, however, they are not guaranteed to always work:

  • Connect to any ProtonVPN server.
  • Turn on airplane mode. This will kill all Internet connections and temporarily disconnect ProtonVPN.
  • Turn off airplane mode.ProtonVPN will reconnect, and your other connections should also reconnect inside the VPN tunnel, though we cannot guarantee this 100%.

Apple has recommended that users use always-on VPN to mitigate the issue, but this is not possible for all VPN users and services.

It is unclear when Apple will patch this issue, as it has been over 3 months since it was brought to the company’s attention. Until then, be extra careful when using a VPN on iOS or iPadOS.

Submit