A currently unpatched security vulnerability affecting iOS 13.3.1 or later prevents virtual private networks (VPNs) from encrypting all traffic and may lead to some Internet connections that circumvent VPN encryption to expose user data or lose their data. IP addresses.
While connections made after connecting to a VPN on your iOS device are not affected by this error, all previously established connections will remain outside the secure tunnel of the VPN, as revealed by ProtonVPN.
This VPN bypass vulnerability (rated with a CVSS v3.1 5.3 base score) was discovered by a security consultant from the Proton community and was disclosed by ProtonVPN to raise user awareness and other VPN providers about the issue.
The connections remain open and exposed
The bug is that Apple’s iOS does not disconnect all existing Internet connections when the user connects to a VPN and automatically reconnects them to the target servers after establishing the VPN tunnel.
“Most of the connections are short-lived and will eventually be re-established on their own through the VPN tunnel,” explains ProtonVPN. “However, some are long-lasting and can remain open for minutes or hours outside the VPN tunnel.”
During the time when connections are outside of secure VPN communication channels, this problem can lead to serious consequences.
For example, user data could be exposed to third parties if the connections are not encrypted and the loss of IP addresses could potentially reveal users’ location or expose them and target servers to attacks.
Although users should only see traffic exchange between their devices, local IP addresses and VPN servers, other IP addresses – Apple IP servers in the screenshot above – will also be displayed due to previously opened connections that were not terminated before VPN connects
While ProtonVPN claims that Apple’s push notifications are a good example of a process that uses connections to Apple servers that won’t be closed automatically, this error can affect any service or app running on the user’s iOS device, from web beacons to instant messaging applications.
“Those most at risk from this security flaw are people in countries where surveillance and civil rights violations are common,” says ProtonVPN.
“Neither ProtonVPN nor other VPN services can provide an alternative solution to this problem because iOS does not allow a VPN app to break existing network connections.”
Last year, we discovered a vulnerability in iOS that causes connections to ignore VPN encryption. This is a bug in iOS that affects all VPNs. We have informed Apple and are now sharing the details so that we can stay safe. https://t.co/78v3Brispm
– ProtonVPN (@ProtonVPN) March 25, 2020
Apple recognized the VPN bypass vulnerability after the ProtonVPN report and is currently looking into options on how to completely mitigate it.
Until a fix is provided, Apple recommends using always-on VPN to mitigate this problem. However, since this workaround uses device management, it cannot be used to mitigate the vulnerability of third-party VPN apps like ProtonVPN.
ProtonVPN recommends the following procedure if you are using a third party VPN:
- Connect to a VPN server.
- Turn on airplane mode. This will kill all Internet connections and temporarily disconnect the VPN.
- Turn off airplane mode. The VPN will reconnect and other connections should also reconnect within the VPN tunnel (100% unreliable)