iOS 16 VPN Tunnels Leak Data, Even When Lockdown Mode Is Enabled

[bobcomer]

Tunnel all offers no added benefit

I totally disagree. Not being able to sniff the traffic is the benefit that it adds.

The traffic destin for the Corp Lan is encapsulated in the tunnel and is not sniffable unless the computer itself is compromised (which is true for tunnel all at that point).

That's true, but if your tunnel all allows no access to the internet, then, at least the traffic can't be sniffed real time. (and not at all if the remote computer isn't allowed normal internet access ever.) I know corps who do just that, and it's necessary as they're dealing with sensitive info.

I would love to be able to explain my point better, but it's been a while since I had to bust out the theory books. Either way if you need to be ISO compliant...they force you to tunnel all. So you win by default LOL.

ISO isn't one of my concerns -- yet. Just the normal paranoia of seeing a lot of what happens on the internet that normal people don't see. Like there's *always* traffic from the script kiddies trying to beak into your network, and keeping your internal network behind a VPN gets rid of most of that.

I am unclear about the split tunnel thing as it would apply to me. Connections really aren't a problem in my current setup, too small a shop. Allowing a split tunnel is allowing traffic on the remote side my stuff wont see, and that's a problem because those same script kiddies are scanning the remote side too and taking up bandwidth doing it.

Interesting discussion, btw!

 

[CarAnalogy]

Well, it obviously isn't iOS's auto-[in]correct feature.

OMG this is one of the few things that makes me actually consider going back to Android again.

I remember a podcast years ago just before the Android keyboard rebranded as Gboard with the scientist in charge of it. He talked about all kinds of interesting insights to make typing better, and Gboard is damn good.

I believe this is it (can only find Apple Podcasts link…) https://podcasts.apple.com/ca/podcast/episode-43-keyboard-input/id785545036?i=1000362812114 but it’s called Android Developers Backstage: Keyboard Input and his name is Dr. Shumin Zhai.

Apple just needs to drive a dump truck full of gold up to that guy’s house and do whatever it takes to get this fixed. I feel like I am actively fighting with my iPhone every time I try to type something. Third party keyboard support is still as janky as it was the day it was released, and counting on Google to fix typing on iPhone is not a good idea.

I turned autocorrect off long ago as it went back and broke sentences that had been typed correctly. But it used to be ok just tapping the center suggestion to fix the word. That is now completely broken and makes wild suggestions instead of doing very obvious things like simply adding an apostrophe to ”dont.” Instead it suggests something like “don takes” which I have never typed.

 

[brian3uk]

This is embarrassing for Apple. I really wish they were more ambitious in their whole privacy thing. Letting this bug last for so long is shameful. And with GoogleFi announcing their cellular VCN today, it sure would be nice to see Apple make SOME effort in their cellular/wifi security.

 

[Unregistered 4U]

Nice conspiracy post, but don't you need Apple to track you if you lost your phone? Was facebook handling of PII really above board. Remember when the service is free, you are the product.

I can imagine the MR posts,
“When I turn on VPN, Maps stops working, how is this useful?”
“VPN was on when I last used my phone… now I can’t find it. How could Apple release something so broken?”
“The reason why the time isn’t displayed correctly with VPN on is because greeedy Apple wants to force you to BUY a VPN that lets it display properly. Timmy has to go, and also I’m sure they don’t like puppies!”

 

[Jte1023]

It’s not a bug it’s a feature 😂

 

[Preed08]

I, for one, LOVE that they are performing this work. Apple basically has a split-tunnel VPN enabled no matter what you do, which is a direct affront to their supposed privacy-focused stance. Shoot, if I'm using a VPN, for what reason does any of my DNS data need to go anywhere else besides over the tunnel??
They (tech companies in general) just can't resist the urge to mine their user's data, no matter what they say publicly.

 

[nt5672]

No matter who you are, where you are, or what you do online, someone, somewhere, will see it.

It sounds like you are OK with that. I'm not.

 

[boswald]

It sounds like you are OK with that. I'm not.

Not at all.

 

[2fifty6]

Looks like the phone that prides itself on privacy isn't so private after all.

Indeed.

I wonder how many lives this has cost.

 

[OSX15]

I am not surprised..

 

[swm]

regular DNS over UDP/53 is used for Apple private relay bootstrap and monitoring. it doesn't contain no user-related mineable metadata.
most probably they saw that.

 

[Unregistered 4U]

regular DNS over UDP/53 is used for Apple private relay bootstrap and monitoring. it doesn't contain no user-related mineable metadata.
most probably they saw that.

Yes, they’ll only say the scary part out loud and forget mentioning the seriousness.

 

[nt5672]

Unlikely. Apple has said no to the US government many times. You remember the infamous case when they refused to unlock the San Bernardino shooter's iPhone right?

And what evidence do you have that the San Bernardino shooter's case was nothing more than a publicity stunt and they unlocked it anyway?

 

[Unregistered 4U]

And what evidence do you have that the San Bernardino shooter's case was nothing more than a publicity stunt and they unlocked it anyway?

The whole thing was just an act put on with the government and Apple in leading roles. See, since the government wanted people to think Apple was trustworthy, they started this whole big case “Apple won’t unlock this phone” so Apple looks like the good guy. And THEN, the government says, “Oh we didn’t REALLY need Apple’s help as this one was unlocked using an already known tool as it was an older phone.”

Apple looks “good” and is gains more trust
Government got their data
Annnnnd, SCENE!

 

[nt5672]

The whole thing was just an act put on with the government and Apple in leading roles. See, since the government wanted people to think Apple was trustworthy, they started this whole big case “Apple won’t unlock this phone” so Apple looks like the good guy. And THEN, the government says, “Oh we didn’t REALLY need Apple’s help as this one was unlocked using an already known tool as it was an older phone.”

Apple looks “good” and is gains more trust
Government got their data
Annnnnd, SCENE!

Probably more like. Apple said no, Apple said no, Apple said no, then Government issued National Security Letter or Judge's order and Apple said yes.

The point being that Apple does not take security seriously except in Advertisements and Keynotes. Everyone needs to look at Apple's performance not its desires and feelings. Certainly I am not suggesting that they ignore security, but they do just enough to avoid serious hacks while letting the Government in. People may or may not be good with that, but they should not confuse facts with Marketing.

 

[Unregistered 4U]

Probably more like. Apple said no, Apple said no, Apple said no, then Government issued National Security Letter or Judge's order and Apple said yes.

Your assumption is that something special is required for Apple to voluntarily just hand the information over? I suppose that’s one way to see it.

The point being that Apple does not take security seriously except in Advertisements and Keynotes.

Right, so why would they need any special document or judge’s order? They’d just hand it over.

People may or may not be good with that, but they should not confuse facts with Marketing.

Especially as the government has a part to play in their marketing plan.
whisper “Thanks for the data Apple”
“That darned Apple is so resolute in their privacy! They won’t even give us the data we need. And, we say that to say we hate that your data is safe with them!”
whisper “Was that good?”

 

[ifxf]

I can imagine the MR posts,
“When I turn on VPN, Maps stops working, how is this useful?”
“VPN was on when I last used my phone… now I can’t find it. How could Apple release something so broken?”
“The reason why the time isn’t displayed correctly with VPN on is because greeedy Apple wants to force you to BUY a VPN that lets it display properly. Timmy has to go, and also I’m sure they don’t like puppies!”

maps and time uses GPS which is not modified by VPN solutions.

 

[Unregistered 4U]

maps and time uses GPS which is not modified by VPN solutions.

Find My reports the phone’s position to Apple.

 

[BellSystem]

I totally disagree. Not being able to sniff the traffic is the benefit that it adds.

That's true, but if your tunnel all allows no access to the internet, then, at least the traffic can't be sniffed real time. (and not at all if the remote computer isn't allowed normal internet access ever.) I know corps who do just that, and it's necessary as they're dealing with sensitive info.

ISO isn't one of my concerns -- yet. Just the normal paranoia of seeing a lot of what happens on the internet that normal people don't see. Like there's *always* traffic from the script kiddies trying to beak into your network, and keeping your internal network behind a VPN gets rid of most of that.

I am unclear about the split tunnel thing as it would apply to me. Connections really aren't a problem in my current setup, too small a shop. Allowing a split tunnel is allowing traffic on the remote side my stuff wont see, and that's a problem because those same script kiddies are scanning the remote side too and taking up bandwidth doing it.

Interesting discussion, btw!

if you are trying to access remote resources and keep them secure, split tunnel is the solution. If you are trying to trap all the traffic of the person accessing the network over the VPN for some reason, then tunnel all is the solution. I guess my point is that if you are accessing remote resources and only care about them and their security. Split tunnel is enough and the so called leak will not impact that integrity. If you are trying to monitor everything the employee is doing and want to run everything they do through a AVG or something then tunnel all works. I just don't agree with security experts that tunnel all is required for accessing remote resources only accessible over the VPN. The encapsulation is the security and nothing is going to leak or be sniffed out of that.

im looking at this only through the corp lens and not the consumer one. The consumer solutions need tunnel all to work obviously.

 

[quarkysg]

Exactly. These pRiVaCy VPNs are just tunnel-all VPNs. For split tunnel vpn this is not a problem at all. Most use cases are split tunnel in the corp world. That’s why Apple doesn’t care. It’s amazing that people think VPN equals privacy, it doesn’t. If you don’t think these major VPN carriers are not letting the NSA into the data center one way or another ….I have a bridge to sell you. There are a lot more ways to track you even over a VPN. I doubt 99% people using VPNs for privacy have done anything else but fall for the marketing hype. There is no such thing as privacy anymore. This is a layer that has to be used with other layers. VPN is not a singular solution.

Well said.

I would say that Apple's Private Relay is the step in the right direction if folks really want to obscure their web surfing habits from prying eyes. It's not going to stop parties with the resources to track someone. All they need are the logs from Apple and the third party relays.

Once we go online, we leave traces. Anyone determined enough with deep resources will be able to trace you if they wanted to.

Using a VPN service is just letting the VPN service provider have full view of your Internet access habits instead of the ISP. So I guess most folks just trusts their VPN service providers instead of their ISPs? But I guess most folks just fell for the marketing.

 

[bobcomer]

if you are trying to access remote resources and keep them secure, split tunnel is the solution. If you are trying to trap all the traffic of the person accessing the network over the VPN for some reason, then tunnel all is the solution. I guess my point is that if you are accessing remote resources and only care about them and their security. Split tunnel is enough and the so called leak will not impact that integrity. If you are trying to monitor everything the employee is doing and want to run everything they do through a AVG or something then tunnel all works. I just don't agree with security experts that tunnel all is required for accessing remote resources only accessible over the VPN. The encapsulation is the security and nothing is going to leak or be sniffed out of that.

im looking at this only through the corp lens and not the consumer one. The consumer solutions need tunnel all to work obviously.

I look at it as part protection too, so tunnel all works better for where I work. I can certainly see why you prefer a split tunnel though. (lesser traffic for the LAN)

Maybe I'm a little paranoid, but unless there's a problem with too paranoid, I'll stick with it. We don't have remote full time staff, so limiting internet traffic while connected is okay to do.

 

[DeepIn2U]

vpn is no privacy tool, it is for connecting 2 networks secure. Don't try to change a feature to do a thing it is not meant to do...

This is 100% true. Back in the day I had an ssh VPN to my house from work so I could use the Internet without being monitored or filtered. The company blocked the most ridiculous and benign content. This exact function morphed into what we have today.

And yet by you both stating this must realize corporations USE their own implementation (or branding of) VPN on iOS (most likely deployed by MDM solutions) ...

MUST NEED to SECURE private information or access to their networks without LEAKING PRIVATE information:
- Sharepoint site access,
- Global Address Book access,
- secure encrypted email functionality,
- shared drive access - not very many mining/financial corps in Canada allow this that I've seen since iOS 8 to be honest, yet some may still globally.
- Document file access in specific portals.

Do NOT think just the basic functionality of a VPN by a service or corporation/company effectively changes the NEED for the flow of PRIVATE information to be protected. This is a common mistake by many when just thinking of the consumer space, and heavily forgetting the corporate space.

 

[whateverest]

Its 2023, iOS 17 release coming soonish. Curious to see if something happened regarding this topic.

 

[anonymous947]

Its 2023, iOS 17 release coming soonish. Curious to see if something happened regarding this topic.

Even IpadOS 17, beta 3 behaves the same as before.


Source:

https://twitter.com/x/status/1683256905232154624