iOS bug that stops VPN apps from encrypting user traffic is still out there: How you can fix it
Those at highest risk of this security flaw are people in countries where surveillance and civil rights abuses are common.
Apple recently released the iOS 13.5. The update came with a lot of fixes but not one for the vulnerability that users spotted on the iOS version 13.4. This vulnerability stopped all VPN apps on the device from encrypting user traffic. The latest update has not rectified this and the vulnerability still exists. iOS does not permit any VPN app to kill existing network connections and that means there is nothing VPN providers can do to resolve the situation, only Apple can fix it.
According to estimates, millions of users around the world could be at risk because of this vulnerability, ProtonVPN explained in a blog.
How the iOS VPN bypass vulnerability works
Typically, when you connect to a virtual private network (VPN), the operating system of your device closes all existing Internet connections and then re-establishes them through the VPN tunnel.
A member of the ProtonVPN community discovered that in iOS version 13.3.1, the operating system does not close existing connections. The issue also persisted in the 13.4 version of the iOS. Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own. However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel.
One prominent example in this case was Apple’s push notification service, which maintains a long-running connection between the device and Apple’s servers. But the problem could impact any app or service, such as instant messaging applications or web beacons.
The VPN bypass vulnerability could result in users’ data being exposed if the affected connections are not encrypted themselves (though this would be unusual nowadays). The more common problem is IP leaks. An attacker could see the users’ IP address and the IP address of the servers they’re connecting to. Additionally, the server you connect to would be able to see your true IP address rather than that of the VPN server.
Those at highest risk of this security flaw are people in countries where surveillance and civil rights abuses are common. Neither ProtonVPN nor any other VPN service can provide a workaround for this issue because iOS does not permit a VPN app to kill existing network connections.
Till Apple fixes this, here’s how to mitigate the iOS VPN bypass vulnerability -
Internet connections established after you connect to VPN are not affected. But connections that are already running when you connect to VPN may continue outside the VPN tunnel indefinitely. There is no way to guarantee that those connections will be closed at the moment you start a VPN connection.
However, the following technique might be the most effective:
1. Connect to any VPN server.
2. Turn on airplane mode. This will kill all Internet connections and temporarily disconnect the VPN.
3. Turn off airplane mode and the VPN will reconnect, and your other connections should also reconnect inside the VPN tunnel, though it cannot be guaranteed a 100%.
Alternatively, Apple recommends using an always-on VPN to mitigate this issue. This method requires using device management, so unfortunately it doesn’t mitigate the issue for third-party applications (like the VPN apps).
This vulnerability was first reported by Luis, a security consultant and member of the Proton community.