A currently unpatched security vulnerability affecting iOS 13.3.1 or later prevents virtual private network (VPNs) from encrypting all traffic and can lead to some Internet connections bypassing VPN encryption to expose users’ data or leak their IP addresses.
While connections made after connecting to a VPN on your iOS device are not affected by this bug, all previously established connections will remain outside the VPN’s secure tunnel as ProtonVPN disclosed.
This VPN bypass vulnerability (rated with a 5.3 CVSS v3.1 base score) was discovered by a security consultant part of the Proton community and was disclosed by ProtonVPN to make users and other VPN providers aware of the issue.
Connections remain open and exposed
The bug is due to Apple’s iOS not terminating all existing Internet connections when the user connects to a VPN and having them automatically reconnect to the destination servers after the VPN tunnel is established.
“Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own,” ProtonVPN explains. “However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel.”
During the time the connections are outside of the VPN secure communication channels, this issue can lead to serious consequences.
For instance, user data could be exposed to third parties if the connections are not encrypted themselves, and IP address leaks could potentially reveal the users’ location or expose them and destination servers to attacks.
Even though users should only see traffic being exchanged only between their devices, local IP addresses, and the VPN’s servers, other IP addresses will also show up —Apple server IPs in the screenshot above — because of previously opened connections not being terminated before the VPN connects
While ProtonVPN says that Apple’s push notifications are a good example of a process using connections to Apple servers that won’t be closed automatically, this bug can affect any service or app running on the user’s iOS device, from web beacons to instant messaging applications.
“Those at highest risk because of this security flaw are people in countries where surveillance and civil rights abuses are common,” ProtonVPN says.
“Neither ProtonVPN nor any other VPN service can provide a workaround for this issue because iOS does not permit a VPN app to kill existing network connections.”
Last year, we discovered a vulnerability in iOS that causes connections to bypass VPN encryption. This is a bug in iOS that impacts all VPNs. We have informed Apple, and we are now sharing details so you can stay safe. https://t.co/78v3Brispm
— ProtonVPN (@ProtonVPN) March 25, 2020
Apple acknowledged the VPN bypass vulnerability after ProtonVPN’s report and is currently looking into options on how to fully mitigate it.
Until a fix will be provided, Apple recommends using Always-on VPN to mitigate this problem. However, since this workaround uses device management, it cannot be used to mitigate the vulnerability for third-party VPN apps such as ProtonVPN.
ProtonVPN recommends the following this procedure if you are using a third-party VPN:
- Connect to a VPN server.
- Turn on airplane mode. This will kill all Internet connections and temporarily disconnect the VPN.
- Turn off airplane mode. The VPN will reconnect, and your other connections should also reconnect inside the VPN tunnel (not 100% reliable)