Engineers at Proton Technologies, behind ProtonMail and ProtonVPN, reported a bug on iOS, which does not allow VPN applications to encrypt all traffic. A member of the Proton community discovered the problem with iOS 13.3.1, and it is relevant even for the latest iOS 13.4. Moreover, Apple has not yet released a patch.
Although Apple is still working on a fix, Proton Technologies felt it was time to publish information about the vulnerability because, in their opinion, the community and other VPN service providers should be aware of the problem.
Experts explain that when using a VPN, the operating system must close all existing Internet connections and restore them through an already existing VPN tunnel to protect privacy and user data. However, iOS does not seem to cope with closing existing connections, and as a result, traffic remains unprotected. So, new Internet connections will be connected through the VPN tunnel, but connections that were already active when the user connected to the VPN server will remain outside the tunnel.
“Most connections are short-lived and will eventually be resumed independently through a VPN tunnel. However, some of them work for a long time and can remain open from several minutes to several hours outside the VPN tunnel, the researchers write. – One of the striking examples is the Apple push notification service, which supports a long connection between the device and Apple servers. But the problem can affect any other application or service, such as a messenger or a web beacon. ”
And while insecure connections are becoming less common, the main problem is that the IP address of the user and the IP address of the server to which he connects will remain open, and the server will "see" the real IP address of the user instead of the VPN IP address server.
“The greatest risks due to this error are people in countries where surveillance and violation of civil rights are common,” experts add.
The vulnerability does not yet have a CVE identifier, but it was given 5.3 points on the CVSS vulnerability rating scale, that is, the problem was classified as moderate.
Until Apple releases the patch, Proton Technologies recommends that users turn on flight mode on the device (this will end all Internet connections) after connecting to the VPN server. After turning off flight mode, the device must reconnect to the VPN server, and then all traffic must be protected. Apple itself also recommends using the Always-on VPN feature, which forces applications to connect only through a VPN. However, this feature is available only for organizations (requires the use of device management service) and works only with certain types of VPNs.