An iOS 13.4 VPN Bug May Lead to Data Leaks

iOS VPN Bug

VPN providers receive their fair share of criticism. People blame some of them for misusing the trust users grant them and for not protecting their privacy as well as they should. Sometimes, the allegations are well-placed, but there are quite a few VPN providers that really want to give users with a truly secure means of browsing the internet. Their products need to work on many different operating systems, however, and every now and again, this presents a problem. Recently, for example, researchers from Proton VPN found a bug in Apple's iOS that threatens to expose people's data.

iOS doesn't terminate all previous connections when a user establishes a VPN tunnel

If you have a VPN, you have a tunnel through which all your communication passes. The traffic is encrypted, and it runs through one of the VPN provider's servers which makes tracing it back to you very difficult. You don't always need a VPN, though. More often than not, people use it for specific tasks, and they turn it on and off several times a day. The applications on your device, on the other hand, establish connections to the internet all the time, regardless of whether or not a VPN tunnel is enabled.

No connection should go outside the tunnel once a VPN is turned on, which means that normally when you fire up your VPN client, your operating system temporarily kills all existing connections and establishes them once again through the Virtual Private Network. Proton VPN's specialists found out that iOS doesn't do that.

Using Wireshark, a packet-sniffing application often used by security researchers, Proton VPN discovered that when iOS owners enable their VPNs, some of the existing connections continue to run outside them, which means that, especially if they're not served over HTTPS, they can be intercepted. The bug affects all VPN protocols and clients, and because of iOS' strict permissions policy, providers can't do much to protect their users.

Fortunately, although it's a bit cumbersome, there is a workaround. You can turn on your VPN, enable airplane mode on your device which will terminate all existing connections, and then disable airplane mode. Your device will re-connect to the VPN server automatically and will route all the traffic through it.

Apple has yet to patch the vulnerability

Indeed, working your way around the problem is awkward and complicated, but there seems to be no other solution for the time being. Proton VPN's experts discovered the bug in iOS 13.3.1 and reported it to Apple immediately. Despite this, the issue was not fixed, and it's still present in iOS 13.4.

Normally, the iPhone maker is praised for the way it handles vulnerabilities, so this situation is somewhat unusual. It must be said that we're not talking about the most dangerous bug out there. The majority of connections applications establish are relatively short-lived, and in most cases, even in an unpatched system, within minutes of establishing a connection to a VPN server, almost all of the data should be passing through it. Nevertheless, the bug must not be underestimated.

People who use VPN don't do it for the fun of it. For many of them, ensuring that they can't be traced is of vital importance, and we shouldn't forget that VPNs are especially popular in countries that try to censor and spy on the population. In these regions, the consequences of this seemingly small bug could be rather more serious. Here's hoping that Apple will fix it sooner rather than later.

April 2, 2020
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.