Unlikely. Apple has said no to the US government many times. You remember the infamous case when they refused to unlock the San Bernardino shooter's iPhone right?
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
iOS 16 VPN Tunnels Leak Data, Even When Lockdown Mode Is Enabled
- Thread starter MacRumors
- Start date
- Sort by reaction score
If you look at this originally from the Proton AG and Apple interaction, Proton AG told Apple, Apple fixed a few things and said they were done even after PAG showed them where issues still existed. (see articles in Post 33).
At the end of the day, everyone with knowledge and skill wants to eat a pie of some kind from this VPN leak bs, and customer is always the loser in between. Both Apple and security researchers have their own nefarious intention in mind After all.Considering this has been a “thing” for years, and it has blown up previously, at this point it’ll just blow up over and over again every time a Security Researcher needs to get their name in the news.They are likely hoping very hard that it stays JUST the way it is so that they can ‘report’ on it again when iOS 17 comes out. More publicity!
Yeah, for publicity and live Marketing I suppose, even if they actually pull it off.
I can't tell if you think you're saying something different than I did in the sentences you cropped out...
The bolded takeaway from Proton is still: the kill switch mostly works but despite there being some DNS queries and such that leak "if you use Proton VPN while connected to public WiFi, your sensitive traffic still cannot be monitored."
I'd personally consider DNS queries to be sensitive and don't see an excuse to delay the reconnection through the tunnel (and it does eventually reroute through the tunnel). I find the fact that Apple hasn't buttoned this up yet to be enormously frustrating. Still, that's not the same as saying they only care about appearances and not actually protecting customers. Going that far is hyperbolic and not supported by fact.
Presumably it’s because Apple doesn’t want users to circumvent geofences for their own services.
There is also the fact that, for Apple to be able to cell phones in certain regions, certain features have to be disabled. Any government that cares that much to have that as a requirement for selling devices is likely not going to accept “They had VPN on, so we didn’t know where in the world they were!“
While you aren’t wrong, problem here is they are failing at doing that.
I still have an old 300 baud VICModem in storage. Couldn’t believe how lighting quick the 1200 was when I got it as a Christmas present. I thought it was too fast because I couldn’‘t keep up with the text. 😆
Honestly I suspect a lot of these connections are left the way they are to ensure things keep working. If the connection was established before the VPN is connected, then the site or service you’re connecting with already has had access to info that can be used to finger print you.
I genuinely wish Apple kicked half the VPN services off the App Store. So many seniors end up paying monthly for these products that slow down their connection or outright break it, especially if they stop paying for it but don’t delete the app.
Also I suspect this ‘research’ is probably being paid for by one of the ones that tracks users of its service.
I genuinely wish Apple kicked half the VPN services off the App Store. So many seniors end up paying monthly for these products that slow down their connection or outright break it, especially if they stop paying for it but don’t delete the app.
Also I suspect this ‘research’ is probably being paid for by one of the ones that tracks users of its service.
Tunnel all offers no added benefit and puts more burden on the corp network. The traffic destin for the Corp Lan is encapsulated in the tunnel and is not sniffable unless the computer itself is compromised (which is true for tunnel all at that point). The only benefit to tunnel all is for trying to ensure IPS and AVG is inspecting all the traffic, but that is not going to guarantee anything. Most of the burden of tunnel all is not the bandwidth, it's the number of connections being maintained by the firewall and the added burden of the inspection services. It's just a poor practice that is perpetrated by security compliance written by people that aren't network experts. ISO is full of theory holes. I would love to be able to explain my point better, but it's been a while since I had to bust out the theory books. Either way if you need to be ISO compliant...they force you to tunnel all. So you win by default LOL.
This has been discussed before. This is not what VPNs were originally created to do - they were built to connect to private networks, not to tunnel the public internet.
There have also been a few bad eggs in the past who have abused VPNs to analyze internet traffic of Apple customers (*cough* Facebook, Google). There have been companies who have used VPN tunnels to monitor and block access, sometimes as part of parental control products, sometimes as part of something more nefarious like monitoring the online activity of your partner.
There are more VPN controls available on iOS devices outside of consumer products, via enterprise MDM. A deliberate design decision was made to not expose all these controls to consumer apps where they might be abused.
The first step would be to get Apple to confirm that it isn't working exactly as designed/intended.
Day by day, I’m honestly thinking about going back to Android; it took me 20 minutes last night just to put on some music on my phone because there is no drag and drop functionality, there isn’t even an sound eq setting OS wide like what LG and Asus have.
Pros; 5 years of OS updates. And that’s really it, that is the only reason I switched
- I’m tired of paying the apple storage tax;
- friends who use Garmin watches on Android get way more functionality;
- Lighting port is absolute garbage, it’s USB 2.0;
- Simple things, such as setting a high ring volume but low notification volume still are absent;
- Widgets still suck like it’s android 5.0
- And yes, I want a headphone jack;
Pros; 5 years of OS updates. And that’s really it, that is the only reason I switched
Android also leaks https://mullvad.net/en/blog/2022/10/10/android-leaks-connectivity-check-traffic/
Google says it is "working as intended"
Google says it is "working as intended"
Apple fans and their supporters are very quick to deride Google and Meta (formerly Facebook), especially Meta for the way they go about tracking people and here we have Apple doing EXACTLY the same and hardly anyone bats an eyelid!!!. This bug was found in iOS13 and the exact same bug has now been found in iOS16 and what does the bug do? it leaks DNS requests outside of VPN's. What is so signifigant about DNS requests one might ask, well DNS requests are bits of data that constantly communicate with Apple servers. DNS data can be tracked and monitored therefore allowing the tracker to know exactly where you are at all times.
Whilst the majority of us do not care and we are happy to go about using our iphones without a care in the world allowing Apple to see what we do of every minute of every day there are some who do not and thus rely on the security aspect of a VPN because if Apple can see you, so can others who want to track you down.
It is obvious Apple do not want to fix this bug because it's been allowed to go unfixed since it was first reported in iOS13 because we have all seen how fast Apple respond to bugs in their software when users start complainging about something, it is fixed in the next update but here we have a security flaw bug reported in iOS 13 and still gone unfixed. That should tell people a lot.
Whilst the majority of us do not care and we are happy to go about using our iphones without a care in the world allowing Apple to see what we do of every minute of every day there are some who do not and thus rely on the security aspect of a VPN because if Apple can see you, so can others who want to track you down.
It is obvious Apple do not want to fix this bug because it's been allowed to go unfixed since it was first reported in iOS13 because we have all seen how fast Apple respond to bugs in their software when users start complainging about something, it is fixed in the next update but here we have a security flaw bug reported in iOS 13 and still gone unfixed. That should tell people a lot.
Sure, I use a VPN. But I also want Find My Phone to work. I want driving directions from my home, not Denver. When I search for a resto I’m looking locally, not in Seattle or New Orleans. I want the right time on my screen, I want my device to register the right time zone. Some stuff (if you want it to work) still needs actual-ish location to deliver. This is a conundrum inside of a riddle inside of a marketing ploy.
iOS 16 continues to leak data outside an active VPN tunnel, even when Lockdown mode is enabled, security researchers have discovered.
Speaking to MacRumors, security researchers Tommy Mysk and Talal Haj Bakry explained that iOS 16's approach to VPN traffic is the same whether Lockdown mode is enabled or not. The news is significant since iOS has a persistent, unresolved issue with leaking data outside an active VPN tunnel.
In August, it again emerged that third-party VPNs for iOS and iPadOS routinely fail to route all network traffic through a secure tunnel after they have been turned on – an issue that Apple has purportedly known about for years.
Typically, when a user activates a VPN, the operating system closes all existing internet connections and then re-establishes them through the VPN tunnel. In iOS, security researchers have found that sessions and connections established before the VPN is turned on are not terminated as one would expect, and can still send data outside the VPN tunnel while it is active, leaving it potentially unencrypted and exposed to ISPs and other parties.
According to a report from privacy company Proton, an iOS VPN bypass vulnerability had been identified in iOS 13.3.1, which persisted through three subsequent updates. Apple indicated it would add Kill Switch functionality in a future software update that would allow developers to block all existing connections if a VPN tunnel is lost, but this functionality does not appear to prevent data leaks as of iOS 15 and iOS 16.
Mysk and Bakry have now discovered that iOS 16 communicates with select Apple services outside an active VPN tunnel and leaks DNS requests without the user's knowledge:
Mysk and Bakry also investigated whether iOS 16's Lockdown mode takes the necessary steps to fix this issue and funnel all traffic through a VPN when one is enabled, and it appears that the exact same issue persists whether Lockdown mode is enabled or not, particularly with push notifications. This means that the minority of users who are vulnerable to a cyberattack and need to enable Lockdown mode are equally at risk of data leaks outside their active VPN tunnel.
iOS 16 introduced Lockdown mode as an optional security feature designed to protect the "very small number" of users who may be at risk of "highly targeted cyberattacks" from private companies developing state-sponsored spyware, such as journalists, activists, and government employees. Lockdown mode does not enable a VPN itself, and relies on the same third-party VPN apps as the rest of the system.
Due to the fact that iOS 16 leaks data outside the VPN tunnel even where Lockdown mode is enabled, internet service providers, governments, and other organizations may be able to identify users who have a large amount of traffic, potentially highlighting influential individuals. It is possible that Apple does not want a potentially malicious VPN app to collect some kinds of traffic, but seeing as ISPs and governments are then able to do this, even if that is what the user is specifically trying to avoid, it seems likely that this is part of the same VPN problem that affects iOS 16 as a whole.
It is worth noting that Apple only lists high-level features that activate when Lockdown mode is enabled, and Apple has not explicitly mentioned any changes that take place to affect VPN traffic. Nevertheless, as Lockdown mode claims to be an extreme protection measure, it seems like a considerable oversight that VPN traffic is a vulnerable point.
Article Link: iOS 16 VPN Tunnels Leak Data, Even When Lockdown Mode Is Enabled
Last edited:
But all those thing you require should be options that you enable or disenable via the VPN shouldn't it? Years ago due to DDOS attacks I used a firewall which allowed control of everything going to and fro from my computer. the firewall was very precise, I could control IP's, DNS responses, networks sockets, network ports, the list goes on. Any decent VPN should allow you to do the same so you have control of what you want going in and out of your iphone.
I understand that you want certain features of your iphone to work as intended but surely you should have control of that via a VPN and not Apple, yes?
If people used a VPN on their devices that use Chrome and the same was going on I am sure people would be complaining about Google as well.
Nice conspiracy post, but don't you need Apple to track you if you lost your phone? Was facebook handling of PII really above board. Remember when the service is free, you are the product.
Give Apple a break. They had to bring us lots of new features this year, no time to fix things like this.
I mean come on, you don’t have to deal with a SIM card!
I mean come on, you don’t have to deal with a SIM card!
Well, it obviously isn't iOS's auto-[in]correct feature.
NSA (aka Meta) is quite happy when you register with Apple email to Meta. Even with hide my email on. There is no confirmation of identity needed. Strange isn’t it?