Failure in iOS 13.3.1 may expose user data from VPNs

Joanna Estrada
March 30, 2020

A vulnerability in iOS 13.3.1 and later prevents virtual private networks (VPNs) from encrypting all network traffic claims ProtonVPN, which discovered the flaw. This unpatched security vulnerability prevents VPN networks from encrypting all traffic and can cause some Internet connections to bypass VPN encryption exposing the user's data or IP address.

This security vulnerability is discovered by a user of ProtonVPN.

When a VPN connection is established, iOS should close all network connections, connect to the VPN and restart network processes using the VPN encryption. The VPN connection would normally mask that.

Any fix for the issue will need to be implemented by Apple, as VPN's can not fix the issue, as iOS doesn't allow VPN apps to kill existing network connections.

They recommend that after you have connected to your chosen VPNs server, you head into your devices settings menu and switch the Airplane mode button on and off. This may kill other network connections, though Proton said it doesn't always work.

One person responding to Strafach's tweet cited an OpenVPN support FAQ that states: "Many Apple services such as Push Notifications and FaceTime are never routed through the VPN tunnel, as per Apple policy". "However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel". "An attacker could see the users' IP address and the IP address of the servers they're connecting to", the ProtonVPN explained the bug in a post.

According to the findings, user data could be exposed to third parties, or your IP address could be leaked, potentially revealing your location or exposing both the user and destination servers to attacks. As a effect, that long-running connection also affects any app or service, including VPNs.

Apple is aware of the issue, and it is now working to fix it.

The problem seems to arise when an iPhone user connects to a VPN server while already connected to internet services and websites, as most iPhones normally would. They found direct traffic between the iOS device's IP address and an external IP address that was not the VPN server, but Apple's server instead. Moreover, VPN service providers can't provide a workaround from their end to fix the loophole since it exists at the operating system level.

Connect to a VPN server. It will also put more pressure on Apple to find and roll out a fix for the issue.

Other reports by Click Lancashire

Discuss This Article