Built-in iOS VPNs Leaking Traffic Data From Over Two Years Ago

According to a security researcher from New York, iOS and iPadOS devices leak data when the VPN is connected, a feature designed to do the opposite.

August 18, 2022

The VPN functionality on Apple devices is broken. According to a security researcher from New York, iOS and iPadOS devices leak data when the VPN is connected, a feature designed to do the opposite.

Michael Horowitz, a veteran in the technology space and an independent consultant and blogger, said that the defect in Apple device VPNs generates data breaches rather than legacy DNS leaks.

A VPN bypass vulnerability in Apple iOS 13 and 14 was first made public by ProtonVPN in March 2020. It was also reported to Apple, but Horowitz’s latest findings suggest that the company sat on it for over two years while the bug remains a security concern, even in the latest iOS 15.

When a VPN connection or tunnel is established, all other unencrypted internet connections are terminated, restarted, and secured by routing them through the VPN tunnel. However, not all connections are terminated on iOS devices, making them susceptible to being intercepted.

A successful VPN tunnel shields the IP address, DNS servers, etc., by assigning new ones. In contrast, unrouted and unencrypted traffic could expose the IP address and possibly other users’ data. Specifically, any connection established before the iOS VPN is turned on is not terminated.

Essentially, some of the traffic/data leaving an Apple device doesn’t go through the VPN tunnel. Now, internet connections without a VPN work just fine. Based on Horowitz’s research, the problem is that a privacy and security feature isn’t delivering what it was designed to do.

This means iOS users who think they’re privately surfing the web aren’t private at all.

See More: Over 750,000 DrayTek Vigor Routers Vulnerable to Critical RCE Bug

When Horowitz contacted Apple in May 2022 after he conducted the tests, the iPhone maker didn’t respond for a week. Later, when it did, Horowitz said that Apple “has said virtually nothing to me,” in the five weeks they exchanged emails.

“They have not said whether they tried to re-create the problem. They have not said whether they agree on this being a bug. They have not said anything about a fix,” Horowitz saidOpens a new window . “It takes so little time and effort to re-create this, and the problem is so consistent, that if they tried at all, they should have been able to re-create it.”

Horowitz also got in touch with CISA six times, to no avail.

Horowitz explored workarounds, including always keeping the VPN on so there are no existing internet connections to kill, using the kill-switch by ProtonVPN, and using Airplane Mode to disconnect.

However, an average user relying on the first workaround could face technical difficulties in implementing it, while the latter two simply do not work. “At this point, I see no reason to trust any VPN on iOS,” Horowitz added and suggested users get a second router set up with a VPN client software to leverage VPN on iOS devices.

“It is surprising to find this problem has persisted for so long. My testing took very little hardware, software or expertise. With the billions of iOS users, it is hard to imagine that no one else bothered testing this. Then again, the world was a bit distracted in March of 2020,” Horowitz further wrote.

“It also seems that Apple has a level of trust that they do not deserve.”

Horowitz didn’t mention if Apple’s VPN On Demand exhibits similar deficiencies.

Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

MORE ON SECURITY VULNERABILITIES

Sumeet Wadhwani
Sumeet Wadhwani

Asst. Editor, Spiceworks Ziff Davis

An earnest copywriter at heart, Sumeet is what you'd call a jack of all trades, rather techs. A self-proclaimed 'half-engineer', he dropped out of Computer Engineering to answer his creative calling pertaining to all things digital. He now writes what techies engineer. As a technology editor and writer for News and Feature articles on Spiceworks (formerly Toolbox), Sumeet covers a broad range of topics from cybersecurity, cloud, AI, emerging tech innovation, hardware, semiconductors, et al. Sumeet compounds his geopolitical interests with cartophilia and antiquarianism, not to mention the economics of current world affairs. He bleeds Blue for Chelsea and Team India! To share quotes or your inputs for stories, please get in touch on sumeet_wadhwani@swzd.com
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.