VPNs for iOS Are Broken and Apple Knows It, Says Security Researcher

[MacRumors]

Third-party VPNs made for iPhones and iPads routinely fail to route all network traffic through a secure tunnel after they have been turned on, something Apple has known about for years, a longtime security researcher has claimed (via ArsTechnica).

Writing on a continually updated blog post, Michael Horowitz says that after testing multiple types of virtual private network (VPN) software on iOS devices, most appear to work fine at first, issuing the device a new public IP address and new DNS servers, and sending data to the VPN server. However, over time the VPN tunnel leaks data.

Typically, when a users connects to a VPN, the operating system closes all existing internet connections and then re-establishes them through the VPN tunnel. That is not what Horowitz has observed in his advanced router logging. Instead, sessions and connections established before the VPN is turned on are not terminated as one would expect, and can still send data outside the VPN tunnel while it is active, leaving it potentially unencrypted and exposed to ISPs and other parties.

"Data leaves the iOS device outside of the VPN tunnel," Horowitz writes. "This is not a classic/legacy DNS leak, it is a data leak. I confirmed this using multiple types of VPN and software from multiple VPN providers. The latest version of iOS that I tested with is 15.6."

Horowitz claims that his findings are backed up by a similar report issued in March 2020 by privacy company Proton, which said an iOS VPN bypass vulnerability had been identified in iOS 13.3.1 which persisted through three subsequent updates to iOS 13.

According to Proton, Apple indicated it would add Kill Switch functionality to a future software update that would allow developers to block all existing connections if a VPN tunnel is lost.

However, the added functionality does not appear to have affected the results of Horowitz's tests, which were performed in May 2022 on an iPadOS 15.4.1 using Proton's VPN client, and the researcher says any suggestions that it would prevent the data leaks are "off base."

Horowitz has recently continued his tests with iOS 15.6 installed and OpenVPN running the WireGuard protocol, but his iPad continues to make requests outside of the encrypted tunnel to both Apple services and Amazon Web Services.

As noted by ArsTechnica, Proton suggests a workaround to the problem that involves activating the VPN and then turning Airplane mode on and off to force all network traffic to be re-established through the VPN tunnel.

However, Proton admits that this is not guaranteed to work, while Horowitz claims Airplane mode is not reliable in itself, and should not be relied on as a solution to the problem. We've reached out to Apple for comment on the research and will update this post if we hear back.

Article Link: VPNs for iOS Are Broken and Apple Knows It, Says Security Researcher

 

[xxray]

I remember this getting reported on a couple years ago, and never getting an update. I just assumed it had been fixed.

I’m so glad my privacy has been compromised for the last 2.5 years and still is being compromised while Apple knows about it and does nothing about it.

 

[Blackstick]

It’s always been janky for us, but honestly with so much of our business moving to cloud/SAAS model, there’s very little on prem stuff left to even access.

 

[0134168]

Very confusing article.

 

[antiprotest]

While other companies screw you on the cloud, Apple screws you "on device."

 

[VulchR]

Nice to know Apple was faffing about with CSAM stuff while this vulnerability just sat there. Perhaps Apple should refund those of us who pay for VPN services? I live in the UK, where pretty much everybody, at every level of government, can gain access to your browsing history unless you use a VPN.

 

[Isamilis]

As noted by ArsTechnica, Proton suggests a workaround to the problem that involves activating the VPN and then turning Airplane mode on and off to force all network traffic to be re-established through the VPN tunnel.

It worked also on 1.1.1.1 (Cloudflare). Thanks!

 

[arkitect]

Ah, well that probably explains why on my last trip to *cough* a country that shall remain unnamed, but where the Fruit company has many things manufactured *cough* my VPN went tits up and I was unable to use my favourite search engine.

FFS Apple!

 

[pbush25]

Any chance what this researcher is seeing is stuff bypassing the vpn to go to iCloud private relay? I agree that the vpn shouldn’t be bypassed, but without mentioning whether this feature was on or off I’m not sure this is a conclusive test.

 

[BootsWalking]

This may seem like a benign annoyance but some people rely on VPNs for very important situations, like reporters who need it to protect their sources or themselves.

 

[arkitect]

Nice to know Apple was faffing about with CSAM stuff while this vulnerability just sat there. Perhaps Apple should refund those of us who pay for VPN services? I live in the UK, where pretty much everybody, at every level of government, can gain access to your browsing history unless you use a VPN.

That'd be a great idea… Now if only the UK did Class Action law suits. 🤔

Like alcoholics, the first step is acknowledging there is a problem. But as we know that is never Apple's way of doing things.

This may seem like a benign annoyance but some people rely on VPNs for very important situations, like reporters who need it to protect their sources or themselves.

Exactly. Lives are put at risk.
And here's the thing, these reporters or activists or ordinary sane people think it's all OK until that 4:00am knock on the door.

 

[Wildkraut]

There we go, Apple and it’s fake privacy commitments, surely just a hard to fix bug “again”.

Apple lets some Big Sur network traffic bypass firewalls

Firewalls are “100% blind” to ~50 Apple apps and processes under undocumented change.

arstechnica.com

MacOS Big Sur reveals Apple secretly hates your VPN and firewall

Apple apps in the latest release of macOS can bypass firewalls and VPNs

www.techradar.com

 

[HappyDude20]

Very confusing article.

Honestly personally this VPN article was much less confusing than the previous article explaining how Pixermator Pro was switching to a subscription based model.

 

[JM]

Come on, y’all. Little ol’ Apple is doing the best they can. Bless their heart.

 

[DD88]

Nice to know Apple was faffing about with CSAM stuff while this vulnerability just sat there. Perhaps Apple should refund those of us who pay for VPN services? I live in the UK, where pretty much everybody, at every level of government, can gain access to your browsing history unless you use a VPN.

If the government want to look at what you’ve been looking at, they can do anyway. Most people who are average with computers can see what you’ve been looking at ,A VPN won’t ever stop that

 

[arkitect]

Come on, y’all. Little ol’ Apple is doing the best they can. Bless their heart.

I know. We're such harsh b******s. Always picking on the little guy. 🤣

 

[jbeaud]

Thank you for sharing! I'm always fascinated by these technical articles.

 

[cyanite]

Ah, well that probably explains why on my last trip to *cough* a country that shall remain unnamed, but where the Fruit company has many things manufactured *cough* my VPN went tits up and I was unable to use my favourite search engine.

FFS Apple!

How would it explain that? How is it related?

 

[arkitect]

How would it explain that? How is it related?

Errrm. Have you not read the article?

Here let me quote you the very first sentence of MR's article:

Third-party VPNs made for iPhones and iPads routinely fail to route all network traffic through a secure tunnel after they have been turned on, something Apple has known about for years, a longtime security researcher has claimed (via ArsTechnica).

You are also apparently unaware of the draconian levels of surveillance in some countries. So as a traveller you need a trustworthy secure VPN to do some very basic and I'll add perfectly legal things…
So all it takes is just one slip up and you are exposed and compromised.

Now, admittedly you might not have a problem with that, so each to their own.

 

[6787872]

leave it to apple to screw up something as basic as vpn

 

[polyphenol]

I'll add perfectly legal things…

Though even using a VPN could be illegal, let alone anything that might be done over that VPN.

No - not saying it is right. Just pointing out that some things you and I may do legally are not necessarily legal elsewhere.

 

[arkitect]

Though even using a VPN could be illegal, let alone anything that might be done over that VPN.

No - not saying it is right. Just pointing out that some things you and I may do legally are not necessarily legal elsewhere.

Yes, good point.
I meant, legal in our home countries. Things such as freedom of speech and thought — or using a VPN. 🙂

 

[laptech]

I wonder how many 'bad guys and bad girls' lost their lives due to thinking they was safe using a VPN on their Apple iphone only that they were not safe because their iphone was leaking there true IP address to anyone that was watching/investigating them (other bad guys and bad girls).

I wonder if the same 'leak' happens on android phones when using a VPN

Edit: I wonder how this works for the US military because I remember reading in a MR thread where a member mentioned that military personnel have to use a VPN on their Apple devices. I wonder if enemies of the US know about this vpn leak and have used it to find the location of military personnel based on the 'real IP' of the Apple device that is being 'leaked'.

 

[nt5672]

This may seem like a benign annoyance but some people rely on VPNs for very important situations, like reporters who need it to protect their sources or themselves.

Yep, and I would not be the least bit surprised if there was a National Security Letter associated with not fixing the bug. You know, to protect the children.

 

[Bustycat]

Congratulations to China