Until Apple patches this security flaw your VPN traffic might not be secure
The recently open sourced ProtonVPN has issued a warning about a bug in iOS that leaves some VPN traffic unencrypted.
Apple is yet to release a fix for the VPN bypass vulnerability which affects iOS 13.3.1 and later. The flaw means that some connections may exist outside of the secure VPN tunnel for several hours, leaving traffic open to interception and potentially exposing users' real IP addresses.
See also:
- Microsoft will release off-schedule patch for VPN connectivity problems caused by buggy update
- me quintuples its data limit for users of its free VPN tier
- ProtonVPN goes open source to build trust
ProtonVPN says that it was alerted to the issue by a member of its community, Luis, a security consultant . The company usually complies with a responsible disclosure program which means security bugs are not revealed for 90 days, but this time around it was thought to be a type of bug that VPN users and developers needed to be made aware of.
Explaining the vulnerability, ProtonVPN says:
Typically, when you connect to a virtual private network (VPN), the operating system of your device closes all existing Internet connections and then re-establishes them through the VPN tunnel.
A member of the Proton community discovered that in iOS version 13.3.1, the operating system does not close existing connections. (The issue also persists in the latest version, 13.4.) Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own. However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel.
One prominent example is Apple's push notification service, which maintains a long-running connection between the device and Apple's servers. But the problem could impact any app or service, such as instant messaging applications or web beacons.
The VPN bypass vulnerability could result in users' data being exposed if the affected connections are not encrypted themselves (though this would be unusual nowadays). The more common problem is IP leaks. An attacker could see the users' IP address and the IP address of the servers they're connecting to. Additionally, the server you connect to would be able to see your true IP address rather than that of the VPN server.
Those at highest risk because of this security flaw are people in countries where surveillance and civil rights abuses are common.
The company goes on to warn: "Neither ProtonVPN nor any other VPN service can provide a workaround for this issue because iOS does not permit a VPN app to kill existing network connections".
There are a couple of potential workarounds to use until Apple releases a patch. ProtonVPN suggests the following steps:
- Connect to any ProtonVPN server
- Turn on airplane mode. This will kill all Internet connections and temporarily disconnect ProtonVPN
- Turn off airplane mode. ProtonVPN will reconnect, and your other connections should also reconnect inside the VPN tunnel, though we cannot guarantee this 100 percent
A suggestion from Apple is to use Always-on VPN, but ProtonVPN warns: "This method requires using device management, so unfortunately it doesn’t mitigate the issue for third-party applications such as ProtonVPN".