iOS VPN Bug Prevents Encryption of Traffic for Years, Researchers Say

iOS VPN bug

A few years ago, engineers at Proton Technologies, the company behind ProtonMail and ProtonVPN, talked about a bug in iOS 13.3.1 that prevents VPN apps from encryption of all traffic. As information security experts now report, the problem has not yet been fixed.

Let me remind you that we also wrote that Vulnerability in WebKit engine could redirect iOS and macOS users to scam sites, and also that For iOS was discovered a new exploit, with the help of which China traced the Uyghurs.

In 2020, Proton Technologies experts explained that when using a VPN, the operating system must close all existing Internet connections and restore them through a VPN tunnel to protect the user’s privacy and data. However, iOS for some reason can’t keep up with closing existing connections, leaving the traffic insecure as a result. For example, new Internet connections will connect through the VPN tunnel, but connections that were already active when the user connected to the VPN server will remain outside the tunnel.

Although insecure connections are becoming less common, the main problem is that the user’s IP address and the IP address of the server to which it connects remain open, and the server “sees” the user’s real IP address instead of the VPN server’s IP address.

As The Register now writes, Proton Technologies researchers continued to wait for the release of the patch for a very long time. From time to time, specialists have updated their report and say that there is still no fix, although Apple is aware of the problem. So, until recently, the last update in the text was dated October 19, 2020, and it reported that the vulnerability had not been finally fixed in iOS 13.4, 13.5, 13.6, 13.7 and 14.

Earlier this year, cybersecurity researcher and developer Michael Horowitz re-examined this situation and found that VPNs in iOS still do not work correctly and provoke data leaks.

VPNs don’t work on iOS. At first, they seem to work fine. The iOS device gets a new public IP address and new DNS servers. The data is transmitted to the VPN server. But over time, a detailed check of the data leaving the device shows that the VPN tunnel is leaking. The data does not leave the iOS device through the VPN tunnel. This is not a normal DNS leak, but this is a data leak.Horowitz wrote in early August, in a post titled 'VPN on iOS is a scam'.

Horowitz writes that back in May 2022, he sent an email to Apple announcing this leak. In July, he said that he exchanged several letters with the company, but this did not give any result:

To date, about five weeks later, Apple has said virtually nothing to me. They didn’t say if they tried to recreate the problem. They didn’t say if they agreed it was a vulnerability. They didn’t say anything about a fix.

In addition, at the end of last week, on August 18, 2022, Proton Technologies experts updated their old report again. They argue that the kill switch feature that Apple introduced to developers with the release of iOS 14 does block additional network traffic, but “some DNS queries from Apple services can still be sent outside of a VPN connection.”

This is similar to the situation we reported two years ago. Most connections are short-lived and will eventually self-repair through the VPN tunnel. However, some operate for a long time and may remain open for minutes to hours outside the tunnel.

We have repeatedly discussed this issue with Apple. Unfortunately, fixing the problem is very problematic. Apple stated that this behavior is “to be expected” and “Always On VPN is only available on MDM controlled devices.” We urge Apple to make a completely secure web experience available to everyone, not just those connected to a proprietary remote device management framework designed for enterprises.says Proton Technologies.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

View all of Vladimir Krasnogolovy's posts.

Leave a comment

Your email address will not be published.