iOS can prevent VPNs from working as expected — and expose your data

A security researcher says Apple’s iOS devices don’t route all network traffic completely through VPNs as a user might expect, a potential security issue that the device maker has been aware of for years.

Michael Horowitz, a longtime computer security blogger and researcher, puts it clearly – albeit controversially – in a constantly updated blog post. “VPNs on iOS are broken,” he says.

Any third-party VPN seems to work at first, giving the device a new IP address, DNS servers, and a tunnel for new traffic, Horowitz writes. But sessions and connections established before a VPN is activated are not terminated and, according to Horowitz’s findings with advanced router logging, can still send data outside the VPN tunnel while it is active.

In other words, you might expect a VPN client to cut existing connections before establishing a secure connection so that they can be re-established within the tunnel. But iOS VPNs don’t seem to do this, Horowitz says, a finding supported by a similar May 2020 report.

“Data exits the iOS device outside the VPN tunnel,” Horowitz writes. “This is not a classic/legacy DNS leak, it’s a data leak. I confirmed this using multiple VPN types and software from multiple VPN providers. The latest version of iOS I tested with is 15.6.”

Privacy company Proton previously reported a iOS VPN bypasses vulnerability at least that started in iOS 13.3.1. Like Horowitz’s post, ProtonVPN’s blog noted that a VPN will typically close all existing connections and reopen them in a VPN tunnel, but that didn’t happen on iOS. Most existing connections will eventually end up in the tunnel, but some, like Apple’s push notification service, can take hours.

The main problem with persistent untunneled connections is that they can be unencrypted and the user’s IP address and what they are connecting to can be seen by ISPs and other parties. “Those most at risk from this security flaw are people in countries where surveillance and civil rights violations are common,” ProtonVPN wrote at the time. That may not be an urgent concern for typical VPN users, but it is noteworthy.

ProtonVPN confirmed that the VPN bypass persisted in three consecutive updates to iOS 13. ProtonVPN indicated in its blog post that Apple would add functionality to block existing connections, but this functionality, as added, didn’t seem to make a difference in Horowitz’s results. .

Horowitz tested the ProtonVPN app on an iPad iOS 15.4.1 in mid-2022 and found that it still allowed permanent, untunneled connections to Apple’s push service. The Kill Switch feature added to ProtonVPN, which describes its function as blocking all network traffic if the VPN tunnel is lost, has failed to prevent leaks, Horowitz said.

Horowitz retested on iOS 15.5 with a different VPN provider and iOS app (OVPN, using the WireGuard protocol). His iPad continued to make requests to both Apple services and Amazon Web Services.

ProtonVPN had suggested a workaround that was “almost as effective” as manually closing all connections when starting a VPN: connect to a VPN server, enable airplane mode, then disable it. “Your other connections will also need to reconnect within the VPN tunnel, although we cannot guarantee this 100%,” ProtonVPN wrote. Horowitz suggests that iOS’s Airplane Mode features are so confusing that this is a non-answer.

Ars Technica reached out to both Apple and OpenVPN for comment and will update This article with any responses.

Horowitz’s post does not provide any details on how iOS might fix the problem. He also doesn’t go into VPNs that offer”split tunnelinginstead, focusing on the promise of a VPN that captures all network traffic. For his part, Horowitz recommends a: $130 Dedicated VPN Router as a truly secure VPN solution.

VPNs, especially commercial offerings, remain a complicated piece of internet security and privacy. Choosing a “Best VPN” has long been a challenge. VPNs can be disabled by vulnerabilities, unencrypted servers, greedy data brokersor by are owned by Facebook.

This story originally appeared on Ars Technica.

Leave a Reply

Your email address will not be published. Required fields are marked *