It’s less than a week since Apple’s iOS 13.4 appeared and already researchers have discovered a bug that puts at risk the privacy of Virtual Private Network (VPN) connections.
Publicised by ProtonVPN, the issue is a bypass flaw caused by iOS not closing existing connections as it establishes a VPN tunnel, affecting iOS 13.3.1 as well as the latest version.
The company said it was disclosing the issue despite there being no patch because it believed it was better that providers and users knew about it now. Remote working and VPN use has increased as more workers self-isolate to avoid COVID-19.
Luckily, ProtonVPN has also discovered a workaround which involves turning airplane (or flight) mode on and off to reset all connections (see below for full instructions).
VPN privacy
A VPN app should open a private connection to a dedicated server through which all internet traffic from the device is routed before being forwarded to the website or service someone is accessing.
This means the ISPs and public Wi-Fi routers can’t snoop on the user’s traffic while websites and services can’t see the real IP address of the user.
This is more comprehensive than HTTPS, which only secures connections to individual websites or installed apps, one at a time. HTTPS also doesn’t hide other revealing traffic such as that to Domain Name Servers (DNS), which ISPs monitor to see which web domains someone is visiting.
The bypass bug
A ProtonVPN researcher fired up a monitoring tool called Wireshark and noticed that even when the VPN was turned on it was still possible to see that traffic was passing between the device and third-party IP addresses.
That means that iOS wasn’t closing those connections when the VPN started. What it should have been doing was terminating them before reconnecting them once the VPN has been established.
In short, everything that starts after the VPN is loaded will be secure but everything before that moment might not be if it doesn’t reset the connection of its own accord (some being longer-lasting than others).
This wouldn’t expose the information being passed inside those connections, which on iOS will use HTTPS. However:
An attacker could see the users’ IP address and the IP address of the servers they’re connecting to. Additionally, the server you connect to would be able to see your true IP address rather than that of the VPN server.
The IP address might sound less important than the information passed from, say, an installed app, but it reveals the ISP location and, potentially, the identity of the end-user. It also leaks information on the IPs the device has previously connected to, for example, a website or service.
Workarounds
A patch might not appear for weeks, which leaves users with two workarounds.
The first, suggested by Apple, is to configure the Always-on VPN setting via mobile device management (MDM). That should be possible for some business users.
However, it won’t be an option for home users running a third-party VPN app they downloaded from the App Store, which leads us to the second option:
- Connect to the app’s VPN server.
- Turn on airplane mode. This will kill all internet connections and temporarily disconnect the VPN.
- Turn off airplane mode. The VPN will reconnect, and your other connections should also reconnect inside the VPN tunnel (this is not guaranteed to work 100% of the time).
Of course, users still have to remember to do this each time they connect, possibly several times a day. It’s far from ideal.
At least Apple knows about the issue. ProtonVPN said:
We have been in contact with Apple, which has acknowledged the VPN bypass vulnerability and is looking into options to mitigate it. Until an update is available from Apple, we recommend the above workarounds.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
Mark Khan
Good Day:
I just finished setting up an old MacBook and our iPhones. This great information and very useful! Thank you so much!
Respectfully;
Mark K.
Gabby
What would you say the risk rating is for this vulnerability? Upon initial read, it seems to me it’s a “low” risk?
Paul Ducklin
There’s a neat workaround that I’ve long used when I want to “connect afresh” without a full reboot – flight mode (remember air travel?) on to kill all network connections, flight mode off so all connections from then on are freshly started. That makes it a managable risk.
Chief
Perhaps if they weren’t wasting so much time on coding funny emoji, they’d catch stuff like this. Given their rate of failure on updates these days, it’s becoming harder and harder to give Apple the trust they used to deserve. Things have definitely dropped in quality since we lost Steve. This problems sounds like a proper testing and beta period should of ferreted it out, given the importance of VPN’s to those in business.
Paul Ducklin
To be fair, the connections you have open before starting the VPN are already runnning without it. This bug doesn’t downgrade any already-secure traffic, right? As for the security of iOS since Steve Jobs died… I suspect that stats will show a *lot* fewer jailbreaks in the past few years. The butterfly keyboard… well, I’m on Linux ATM because of the keyboard on my Mac, hmmmm… but the iPhone 11 Pro. Seen the cameras on that? Can’t imagine that Mr Jobs would disapprove. SIP on macOS, bet he’d like that.
Mike
I am using iOS 16.4.1a on my iPhone and was wondering if this flaw has been fixed since then? As it’s still listed on most VPN sites as a problem. Thanks in advance
Paul Ducklin
I don’t know.
Reports from 2022 suggest that some built-in iPhone apps still make device-direct-to-Apple connections (which are encrypted with TLS, to be clear) outside the VPN. If so, Apple might argue that this is a deliberate effort to avoid the sort of connectivity and functionality problems that would occur if and when a VPN operator decided to start inspecting your traffic (some apps insist on TLS connections that are handled directly and explicity by specific servers with specific TLS certificates); third-party VPN providers might argue that it’s somehow anti-competitive… and so on.