Apple iOS 13.4 blocks VPNs from encrypting all traffic

A flaw means connections aren’t shut off when they’re supposed to be, and continue outside of the VPN tunnel

A security vulnerability in the latest version of Apple’s iOS software prevents third-party virtual private networks (VPNs) from encrypting all user traffic.

When a VPN is activated on a device, the operating system typically shuts off all existing connections and them re-establishes these through a VPN tunnel. Version 13.4 of Apple’s iOS, however, doesn’t close existing connections when connecting iPhones to a VPN. This is an issue first discovered in version 13.3.1.

This is an issue that affects some apps, but not all, because a wide swathe of connections are short-lived and are closed automatically, anyway. 

Some connections, however, remain open for minutes or even hours, and will remain established outside of the VPN tunnel, according to researchers with ProtonVPN.

Apple’s push notifications, for example, fall into the latter category and maintain a long-running connection between the device and Apple servers. Any messaging apps or web beacons could also be affected, for example.

“The VPN bypass vulnerability could result in users’ data being exposed if the affected connections are not encrypted themselves (though this would be unusual nowadays),” ProtonVPN said.

“Those at highest risk because of this security flaw are people in countries where surveillance and civil rights abuses are common. Neither ProtonVPN nor any other VPN service can provide a workaround for this issue because iOS does not permit a VPN app to kill existing network connections.”

The developer added the most common problem is IP leaks, with attackers able to see users’ IP addresses and the IP address of the servers they’re connecting to. The server a user may connect to would also be able to see the true IP address, rather than that of the VPN server.

ProtonVPN used Wireshark to capture iOS device network traffic in order to establish proof for the vulnerability. They found direct traffic between the iOS device’s IP address and an external IP address that was not the VPN server, but Apple’s server instead. 

Should the connection have been encrypted, they would have expected to see traffic only between the device’s IP and the VPN server or local IP addresses.

Apple has acknowledged the VPN bypass vulnerability and is looking into ways to mitigate the issue, according to the researchers

Featured Resources

How to choose an AI vendor

Five key things to look for in an AI vendor

Download now

The UK 2020 Databerg report

Cloud adoption trends in the UK and recommendations for cloud migration

Download now

2021 state of email security report: Ransomware on the rise

Securing the enterprise in the COVID world

Download now

The impact of AWS in the UK

How AWS is powering Britain's fastest-growing companies

Download now

Recommended

ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021
CISOs aren’t leading by example when it comes to cyber security
cyber security

CISOs aren’t leading by example when it comes to cyber security

24 May 2021
New report highlights the need for diversity in cyber security recruitment
cyber security

New report highlights the need for diversity in cyber security recruitment

28 Apr 2021

Most Popular

Q&A: Enabling transformation
Sponsored

Q&A: Enabling transformation

10 Jun 2021
Ten-year-old iOS 4 recreated as an iPhone app
iOS

Ten-year-old iOS 4 recreated as an iPhone app

10 Jun 2021
OnePlus 9 Pro review: An instant cult classic
Hardware

OnePlus 9 Pro review: An instant cult classic

7 Jun 2021