An online security researcher has revealed that Apple’s iOS devices do not completely redirect all network traffic through VPN connections once they are established.
The revelation poses a significant security vulnerability to all iOS users that had previously thought that a VPN connection was securing all of their internet traffic.
Even more worrying, Apple has not commented on the revelation at the time of writing, never mind taking action to resolve the issue.
What is the new iOS vulnerability?
The iOS VPN vulnerability in question has been unearthed by Michael Horowitz, a veteran online security researcher and blogger.
In his blog post, which technophile readers can find in full and regularly updated here, Horowitz makes the rather startling claim that “VPNs on iOS are broken”.
Before iOS VPN users start to panic, let’s delve into the detail a little further.
When you connect your iOS device up to a third-party VPN like ExpressVPN, your VPN provider establishes a secure encrypted tunnel, reroutes your data through its server, and tags it with a new IP Address. So far, so good.
The problem is that, according to Horowitz, any sessions and connections that have been established before you connect to your VPN are not terminated and then reconnected through the VPN link.
Horowitz has studied this in some detail and used advanced router logging to show that these connections can still send data outside the VPN connection. There is no indication from Apple, OpenVPN, or any VPN providers to indicate that this is the case, presumably because it was not known until recently.
A previously established issue
Interestingly, Horowitz’s claims are not the first time this issue has been flagged. His testing was conducted on iOS version 15.6, but security company Proton, the company behind ProtonVPN, ProtonMail, and a number of other online security tools, made similar claims about an iOS VPN bypass vulnerability back on iOS version 13.3.1.
They noted that this problem will right itself in the end. But also found that with services like notifications, this could take as long as several hours.
In his tests, Horowitz used multiple VPN providers and multiple different VPN apps. All returned the same results, which shows categorically that this is not an issue with any VPN providers, not an app vulnerability, and not a DNS leak. It is a problem within iOS itself.
Why is this vulnerability a concern?
If you are wondering why this is a concern, the answer is that it means that even when you are connected to your VPN, there could be data leaving your device but not through your VPN connection.
This data could be unencrypted and could contain information about you, including your real IP Address, which your Internet Service Provider (ISP) and other online surveillance operatives or websites could see.
This is especially a problem in countries where VPNs are used to get around state censorship or government surveillance of individual’s online activity.
The research conducted by Horowitz also tested the kill switch on ProtonVPN to see if this stopped the leak. Worryingly, it didn’t, which will be even more of a concern for users in countries of this type.
What has Apple done?
So far, there has been precious little response from the people at Apple.
After the initial Proton report into this issue, their blog claimed that Apple would shortly be adding functionality to block existing connections and overcome this problem.
They do appear to have done something in this regard, but it is clear from Horowitz’s research that this has not made any fundamental difference to the problem.
They have not commented on the latest reports yet, which is even more worrying as it suggests that they are either not worried about the security of their user’s data or simply not planning to remedy the problem.
Is there a workaround?
The good news for iOS users is that there is a workaround for this problem which was suggested by ProtonVPN back when they made their original report.
They recommend that iOS VPN users should manually close all connections before connecting to their VPN. Once you have done this, connect to a VPN server as usual, but then switch your device briefly to airplane mode and then back on again.
As ProtonVPN explains, this should force all internet connections to reconnect through the VPN connection, although it has to be said that they were not willing to guarantee 100% that this would be the case.
Horowitz is sceptical about Apple’s airplane mode, but to date, this is the best solution we have come across to the problem and is certainly better than doing nothing even if we cannot be 100% certain that it will work.
Another alternative, of course, is to switch away from iOS devices altogether and use an Android mobile device or a desktop connection when undertaking anything remotely sensitive that you need a VPN’s protection from.
Apple may not like us recommending that course of action, but perhaps it will spur them on to fixing this problem properly rather than procrastinating and putting all of their VPN-using customers at risk completely unnecessarily.