While Apple has built a credible stance regarding users’ privacy, a bug has recently made shown otherwise. As discovered, an unpatched vulnerability existed in recent iOS versions that stopped VPNs from entire traffic encryption. Hence, it triggered the possibilities of IP and information leak of those using VPNs.
iOS Vulnerability Stops VPN Encryption
Reportedly, ProtonVPN has recently disclosed a yet unpatched vulnerability in iOS halting traffic encryption by VPNs. Elaborating their findings in an advisory, they stated that the bug affected iOS 13 versions, specifically, iOS 13.3.1 and later.
The bug existed because the said iOS versions do not stop existing internet connections on the device after connecting to a VPN. Ideally, the device operating system closes all existing connections as soon as a VPN connection gets established.
Even after connecting to a VPN on vulnerable devices, the existing connections may continue outside the VPN for a brief period. According to the researchers,
Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own. However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel.
Such connections may leak details about the users’ (if not encrypted otherwise), such as IP leaks.
An attacker could see the users’ IP address and the IP address of the servers they’re connecting to. Additionally, the server you connect to would be able to see your true IP address rather than that of the VPN server.
Recommended Mitigations Until A Fix
For now, the problem persists on all vulnerable iOS devices and will continue to exist unless Apple release a fix. This is because iOS does not allow VPNs to kill any existing connections.
Nonetheless, researchers recommend a way to mitigate this issue. That is to simply turn on Airplane mode on the device to kill all existing connections. Then, the user may connect to the VPN, and then turn off Airplane mode. This will let the subsequent connections to establish via a VPN.
Apple advises adjusting the VPN settings to ‘Always-On’ to avoid this issue. However, this may not work for third-party VPN apps since it requires the use of device management.