A flaw has been found in the Apple feature known as Private Relay which could leak user data by ignoring the firewall rules of your Mac device.
The flaw, which has been identified by the VPN provider Mullvad, involves QUIC traffic being sent from your device outside the Private Relay connection and therefore unsecured. The only solution Mullvad were able to find for this leak was to disable Private Relay.
What is Private Relay?
If you have not come across Private Relay before, it is essentially an Apple tool which attempts to do similar things to a VPN or the Tor network. It essentially encrypts your data and reroutes it though relay servers before it goes to the web.
If you haven’t found it on your Mac device yet, that is likely because Private Relay is still in beta mode at the moment and subject to testing. It is currently only available in certain regions and not available to anyone that doesn’t have a paid-for iCloud+ subscription.
These are also the main reasons why we haven’t looked at Private Relay in more detail here at VPNCompare yet. It is not currently a viable tool for most people and is not a direct competitor to the premium VPNs we review on this site.
It is a sign of Apple taking the VPN market seriously and looking to get involved in the action however, which is doubtless one of the reasons why Mullvad has been playing about with it in the course of developing their own VPN app.
What the problem is
According to Mullvad, they were doing some work on their own app and monitoring their network connections while they did so. In doing this, they noticed QUIC traffic leaving the computer outside the VPN tunnel; in other words, a data leak.
On further examination they discovered that this data was leaking as a result of the Private Relay feature that was running on the same device.
They are clear that they do not know whether this data comes from the Private Relay feature itself or not. What they do know is that the leak was being triggered by the Private Relay feature.
How do they know this? Quite simple really. When they turned off the Private Relay feature, the leak stopped.
Mullvad have added a little more detail for the tech-minded readers out there. They note that Private Relay usually disables itself as soon as any firewall rules are added.
They go on to note that their own Mullvad VPN app does add firewall rules and therefore when you connect to their VPN, Private Relay will tell users that it has disabled itself. This will be the same for most other VPN clients as well.
But for other users the only way of stopping the data from leaking is to disable the Private Relay feature manually.
Mullvad also concluded that they could find no correlation between user traffic and the data that is leaking. This has led them to believe that the packets of data being sent outside the Private Relay connection are being sent to Apple servers and are therefore likely to be just some “heartbeat signal” calling home to Apple.
That may well be harmless data then. But as Mullvad notes, it is still a strong signal to your ISP and anyone else that might be examining your data that you might be a macOS user. This alone could be enough information for them to try and launch an attack on your device.
What should Private Relay users do?
At the time of writing, to the best of our knowledge, Apple has neither acknowledged this issue or provided a patch or fix for it. Mullvad is not an ethical hacker and happened across this issue by accident so Apple may not even have been made aware of it prior to this issue going public.
But if you are one of the users that has been running Private Relay in beta mode, our advice would be to manually disable it for now to be on the safe side.
You can do this on your mobile Apple device by going to settings and then clicking on your name, followed by iCloud, followed by Private Relay. For Mac users, you will need to go to the Apple menu and then choose System Preferences, followed by Apple ID, then iCloud, then Private Relay.
Alternatively, rather than relying on a beta version of Apple’s blend of a VPN and the Tor Network, use a proper VPN instead. They are far more user-friendly, customisable, and effective than Private Relay and offer far more security and privacy protections too.
Even better, when you connect to a premium VPN, Private Relay should automatically disconnect on most devices too.
The news that Apple is looking to move into the VPN space in this way is a clear acknowledgement from the world’s biggest computer tech company of the importance of VPNs.
But their in-house tool is nowhere near at the same level as the main VPNs we recommend here at VPNCompare. And until that changes, our advice is that you stick with the tried and tested.