iOS Vulnerability Prevents VPNs From Encrypting All Traffic

[MacRumors]

A vulnerability affecting iOS 13.3.1 and later prevents virtual private networks (VPNs) from encrypting all traffic, allowing some internet connections to bypass encryption, potentially exposing users' data and IP addresses.

A screenshot from ProtonVPN demonstrating exposed connections to Apple's servers that should be protected by the VPN​

Details on the vulnerability were shared today by Bleeping Computer after it was discovered by ProtonVPN. The vulnerability is caused because iOS isn't terminating all existing connections when a user connects to a VPN, allowing them to reconnect to destination servers once the VPN tunnel has been established.

Connections made after connecting to a VPN on an iOS are not affected by this bug, but all previously established connections are not secure. This could potentially lead to a user who believes they are protected accidentally exposing IP an address and therefore, an approximate location.

Apple's Push Notifications are cited as an example of a process using connections on Apple's servers that aren't closed automatically when connecting to a VPN, but it can affect any app or service running on a user's device.

VPNs cannot work around the issue because iOS does not allow VPN apps to kill existing network connections, so this is a fix that will need to be implemented by Apple. Apple is aware of the vulnerability and is looking into options to mitigate it.

Until fixed, VPN users can connect to a VPN server, turn on Airplane Mode and then turn off Airplane Mode to kill all existing connections. The mitigation isn't entirely reliable, however, so iPhone and iPad owners who rely on VPNs should be careful until Apple puts out a fix.

Article Link: iOS Vulnerability Prevents VPNs From Encrypting All Traffic

 

[now i see it]

VVPN

 

[konqerror]

This is 100% fake and not a bug. All VPNs, such as those on the desktop, do this by default unless specifically configured, as to not interrupt ongoing downloads, or worse, cause UDP-based services to silently fail. Windows built-in VPN client has this exact same behavior.

 

[ppetrovic]

Oh well, it seems we'll get iOS 13.4.1 sooner rather than later.

 

[H2SO4]

All those people that refused to update smirking, (but only a little).

 

[az431]

I've always assumed that this was the case, and for that reason always start VPN before starting any service that needs VPN, and then verify that the connection was indeed secure before relying on it.

It actually doesn't make much sense that the system would disconnect existing connections when VPN is started since it would immediately terminate any downloads, etc.

 

[Will Tisdale 🎗]

This is 100% fake and not a bug. All VPNs, such as those on the desktop, do this by default unless specifically configured, as to not interrupt ongoing downloads, or worse, cause UDP-based services to silently fail.

I don’t think so.
iOS used to handle this correctly, then stopped.
Not tearing down existing connections completely undermines the point of a VPN.

 

[himanshumodi]

This is 100% fake and not a bug. All VPNs, such as those on the desktop, do this by default unless specifically configured, as to not interrupt ongoing downloads, or worse, cause UDP-based services to silently fail. Windows built-in VPN client has this exact same behavior.

I think the point is on iOS the VPNs CAN'T do this because of iOS restrictions. A lay user would definitely assume all connections once VPN tunnel has been established would be encrypted. i didn't even know there were configurable options to not interrupt existing connections.

 

[Square-Eyes]

I got caught out by the fact that if you tether a device to your phone it will bypass the phone’s VPN 😡🤦‍♂️

 

[neohavix]

Can someone explain to me what's going on with those circled items. Not a techie. Just trying to get a better understanding of what is happening.

 

[azentropy]

Isn't this what happened in HBO's Silicon Valley?

 

[SantaFeNM]

I got caught out by the fact that if you tether a device to your phone it will bypass the phone’s VPN 😡🤦‍♂️

What?! I didn't know this.

 

[Will Tisdale 🎗]

Can someone explain to me what's going on with those circled items. Not a techie. Just trying to get a better understanding of what is happening.

Sure.
The only outgoing connections should be to the VPN endpoint, ie, the connections with the ESP protocol (which is the encrypted packets which make up the VPN tunnel).
Anything else is outside the VPN tunnel and shouldn’t be.

 

[PinkyMacGodess]

Oops... Has iOS gotten too complicated, or is it just lazy programmers?

 

[Joniz]

Fortunately, everyone’s porn traffic is hidden in among all the other porn traffic clogging the networks these days.

 

[Will Tisdale 🎗]

Fortunately, everyone’s porn traffic is hidden in among all the other porn traffic clogging the networks these days.

But your ISP can easily identify the sites you are visiting, as they have knowledge of your end and the far end of the connection. Who uses a VPN for porn anyway? 🙄

 

[len5]

"Who uses a VPN for porn anyway?"

Isn't that the main reason why consumers use a VPN?

 

[PinkyMacGodess]

But your ISP can easily identify the sites you are visiting, as they have knowledge of your end and the far end of the connection. Who uses a VPN for porn anyway? 🙄

Everyone in Utah?

 

[chucker23n1]

VPNs cannot work around the issue because iOS does not allow VPN apps to kill existing network connections, so this is a fix that will need to be implemented by Apple. Apple is aware of the vulnerability and is looking into options to mitigate it.

This is 100% fake and not a bug. All VPNs, such as those on the desktop, do this by default unless specifically configured, as to not interrupt ongoing downloads, or worse, cause UDP-based services to silently fail. Windows built-in VPN client has this exact same behavior.

I've always assumed that this was the case, and for that reason always start VPN before starting any service that needs VPN, and then verify that the connection was indeed secure before relying on it.

It actually doesn't make much sense that the system would disconnect existing connections when VPN is started since it would immediately terminate any downloads, etc.

I feel like we need more info here.

As others have said, it would be problematic to silently kill existing connections when connecting to a VPN. That's certainly not the behavior I would expect. I suppose it depends on whether you use a VPN to add certain networks (such as your corporate office), or to globally route all your traffic (such as for privacy reasons). In the former case, I don't want my non-office connections to be reset.

If MacRumors is reporting this right and VPN apps cannot reset connections, that makes me wonder what changed here. Did iOS previously indeed terminate any open socket when connecting?

 

[Will Tisdale 🎗]

"Who uses a VPN for porn anyway?"

Isn't that the main reason why consumers use a VPN?

No?
Personally I use one routed to a server I trust to stop mobile network operators profiling me.

 

[Westside guy]

I’m sometimes stunned by the upvotes people get for posting incorrect information.

If a VPN is configured to send all network traffic through the VPN when it’s running - which is typically what‘s done - then all traffic should be routing through it from the moment it’s enabled. Not just connections to new end points established afterward - all traffic.

Even if a VPN is configured to just carry traffic to a few specific end points (such as the OpenVPN tunnel to our servers, which I’m relying on heavily right now due to the stay at home order currently in place here in Washington): if you’re already connected to one of those end points before establishing the tunnel, you would expect all further traffic to go through the tunnel. The idea that you wouldn’t is ludicrous.

 

[Will Tisdale 🎗]

I feel like we need more info here.

As others have said, it would be problematic to silently kill existing connections when connecting to a VPN. That's certainly not the behavior I would expect. I suppose it depends on whether you use a VPN to add certain networks (such as your corporate office), or to globally route all your traffic (such as for privacy reasons). In the former case, I don't want my non-office connections to be reset.

If MacRumors is reporting this right and VPN apps cannot reset connections, that makes me wonder what changed here. Did iOS previously indeed terminate any open socket when connecting?

I feel that people need to learn about the expected behaviour of VPNs before commenting.
There’s actually two types on iOS. Split vpn and full tunnel. Split allows some stuff to be routed elsewhere. Full tunnel tunnels everything.

 

[Westside guy]

As others have said, it would be problematic to silently kill existing connections when connecting to a VPN.

Why on earth would you assume it would “kill” the connection? It should just change the routing of subsequent packets between the two points. Internet Protocol shouldn’t care about the routing.

 

[konqerror]

I feel that people need to learn about the expected behaviour of VPNs before commenting.
There’s actually two types on iOS. Split vpn and full tunnel. Split allows some stuff to be routed elsewhere. Full tunnel tunnels everything.

Even if a VPN is configured to just carry traffic to a few specific end points (such as the OpenVPN tunnel to our servers, which I’m relying on heavily right now due to the stay at home order currently in place here in Washington): if you’re already connected to one of those end points before establishing the tunnel, you would expect all further traffic to go through the tunnel. The idea that you wouldn’t is ludicrous.

Nope. I have two full tunnels on two different clients (Cisco Anyconnect, and Pulse Secure) and neither display the behavior which you are claiming.

It doesn't matter to the OS whether it is full or split, any changes to the routing table do not affect existing connections.

Why on earth would you assume it would “kill” the connection? It should just change the routing of subsequent packets between the two points.

A TCP connection is defined by its origin IP, origin port, destination IP and destination port, known as its 4-tuple. Change one IP and the connection is invalid. Think about it logically, if I suddenly change my IP address how will the other end know where to send the data? If you have a method, what prevents somebody else at a different IP address from hijacking my existing connection?

 

[Will Tisdale 🎗]

Nope. I have two full tunnels on two different clients (Cisco Anyconnect, and Pulse Secure)

Well, I can tell you that Anyconnect will tear down any active connections, assuming it’s configured correctly. My work VPN certainly does.

TCP is designed to retry after being torn down. It’s no biggie.

The fact is, this is an iOS bug, which was introduced recently.