Unpatched Bug in Recent iOS Versions Keeps VPN From Encrypting All Traffic

Yolanda Curtis
March 30, 2020

An unpatched bug in iOS 13.3.1 and higher could prevent a virtual private network (VPN) from fully encrypting all traffic and leaving data and IP addresses visible.

The VPN bypass vulnerability was first discovered in 2019 by a security researcher who is part of the Proton community. Proton states that when the VPN is enabled, iOS 13.4 will not shut out existing unsecured connections and "some are long-lasting and will stay open outside the VPN tunnel for minutes to hours".

VPN apps are powerless to do anything about this glitch because Apple does not allow a VPN app to kill any existing network connections. This allows the open network connections to bypass the VPN encryption.

"Those most at risk due to this security breach are people from countries where surveillance and civil rights abuses are common", says ProtonVPN. In theory, any app could find itself in this trap including web browsers and instant messaging services. The issue could also potentially leak the IP address of the user, revealing their location or exposing destination servers to attack.

Apple's push notification system is an example of a process that is not closed automatically when a VPN connection is initiated, says ProtonVPN.

Apple acknowledged the VPN bypass vulnerability after ProtonVPN's report and is now looking into options on how to fully mitigate it.

The problem seems to arise when an iPhone user connects to a VPN server while already connected to internet services and websites, as most iPhones normally would. The WireShark screenshot meant to illustrate this phenomenon in the ProtonVPN blog posting shows the issue affecting only traffic to and from Apple servers, which use the entire IP address range.

The error can not be fixed by a third-party VPN application, as Apple's strict sandbox restrictions for iOS prevent existing connections from being interrupted.

Fortunately, ProtonVPN has also devised a simple workaround that any iPhone or iPad user can follow that mitigates the problem and ensures that all of your online activity is encrypted by your VPN every time. However, they repeatedly found evidence of connections to external servers that were not the VPN server. It is even more positive that they have chosen to share the information they have uncovered transparently and publicly to benefit all VPN users, not just their own. It will also put more pressure on Apple to find and roll out a fix for the issue.

Other reports by iNewsToday