ProtonVPN has been quick to establish itself as one of the most prominent and responsible members of the VPN community with a detailed and diligent approach to the security and privacy of its members, as would be expected from the company behind the encrypted ProtonMail webmail service.
But it also has an active community of members and, through one of them, ProtonMail has stumbled upon a serious vulnerability in the iOS operating system that affects not just their own users, but users of all VPNs.
The iOS VPN bypass vulnerability
When you connect to your VPN, the operating system on the device you are using will usually cut all existing internet connections and then re-establish them through the VPN. This ensures that everything you do online is being encrypted by your VPN provider.
However, a member of the ProtonVPN community recently pointed out to them that in Apple’s iOS version 13.3.1. which is the operating system for all iPhone’s and iPads, this did not happen and the operating system did not close existing connections before reestablishing new ones through the VPN.
ProtonVPN have looked into this and found that the problem continues with the latest versions of iOS, 13.4 also has the same issue.
ProtonVPN is upfront about the fact that, for most connections, this will not matter too much. Most will be short-lived and will quickly reestablish themselves through the VPN connection.
But that is not the case with all connections and some could remain established for minutes or even hours without reestablishing themselves inside the VPN’s encrypted tunnel.
An example they give of this is Apple’s push notification service, which is a long-established link between your device and Apple’s server. In theory, any app could find itself in this trap including web browsers and instant messaging services.
How the iOS VPN bypass vulnerability works
ProtonVPN looked into this vulnerability using Wireshark to capture the entire network traffic of an iOS device that was running on the affected version of iOS.
The data this generated should only have shown traffic moving between the device and the VPN server it had established a connection with. However, they repeatedly found evidence of connections to external servers that were not the VPN server.
The most common external servers were Apple’s own servers as these tend to have the longest-standing connections from iOS devices. But there is no reason why other apps and connections couldn’t wind up in the same position.
As such, this is a serious vulnerability as it has the potential to leave crucial communication channels unencrypted. It could also potentially leave users exposed to IP leaks as hackers could see and store users actual IP addresses and the servers they are connecting to.
It could even allow websites and ISPs to see your actual IP address when you are doing sensitive things online and potentially put users at risk of reprisals in countries like Iran and Communist China.
How to get around the iOS VPN bypass vulnerability
ProtonVPN has assessed this vulnerability as being of a medium level of severity. More worryingly, they are also clear that there is nothing they or any other VPN can directly do to address the issue.
iOS is set up in a way that does not allow VPN apps to cut existing network connections. Only Apple has the power to do that and the fact that this vulnerability has cropped up on success versions of iOS suggests it is either an issue they were unaware of or something they do not consider an urgent priority.
A more cynical observer might even suggest that the vulnerability was a deliberate one being used by Apple to collect more data on their users or for some other malign intent. There is no evidence to support such a theory at present and Apple is yet to comment on the vulnerability at the time of writing beyond acknowledging its existence.
Fortunately, ProtonVPN has also devised a simple workaround that any iPhone or iPad user can follow that mitigates the problem and ensures that all of your online activity is encrypted by your VPN every time.
They recommend that after you have connected to your chosen VPNs server, you head into your devices settings menu and switch the Airplane mode button on and off. Doing this will automatically kill all established internet connections and when they reconnect they will automatically do so inside the encrypted VPN tunnel.
It is to ProtonVPN’s enormous credit that they have taken this issue seriously when it was flagged to them. It is even more positive that they have chosen to share the information they have uncovered transparently and publicly to benefit all VPN users, not just their own.
Such a move will help all VPN users to keep their online data secure and private when using iOS devices. It will also put more pressure on Apple to find and roll out a fix for the issue.
ProtonVPN is showing a level of transparency that all VPNs should aspire to. If all VPNs work together and share information in the manner, the industry as a whole can make the whole internet a safer place for all.
