Connect with us

Hi, what are you looking for?


Data Protection

No Patch for VPN Bypass Flaw Discovered in iOS

Proton Technologies, the company behind the privacy-focused ProtonMail and ProtonVPN services, this week disclosed the existence of a vulnerability in Apple’s iOS mobile operating system that prevents VPN applications from encrypting all traffic.

Proton Technologies, the company behind the privacy-focused ProtonMail and ProtonVPN services, this week disclosed the existence of a vulnerability in Apple’s iOS mobile operating system that prevents VPN applications from encrypting all traffic.

The flaw was discovered by a member of the Proton community in iOS 13.3.1, but Apple has yet to release a patch and the issue impacts even the latest version, 13.4.

Apple is reportedly working on a fix, but Proton says it has disclosed the bug because it believes its community and other VPN services providers should be aware of its existence.

When a VPN is used, the device’s operating system should close all existing internet connections and reestablish them through a VPN tunnel to protect the user’s data and privacy. However, iOS apparently fails to close existing connections, which results in traffic remaining unprotected.

“Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own. However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel,” Proton explained in a blog post.

“One prominent example is Apple’s push notification service, which maintains a long-running connection between the device and Apple’s servers. But the problem could impact any app or service, such as instant messaging applications or web beacons,” it added.

While this can expose users’ traffic if their connection is not made over HTTPS, unprotected connections are increasingly rare. However, the bigger problem is that the user’s IP address and the IP of the server they are connecting to remain exposed, and the server will see the user’s real IP instead of the VPN server’s IP.

“Those at highest risk because of this security flaw are people in countries where surveillance and civil rights abuses are common,” Proton explained.

Advertisement. Scroll to continue reading.

The company pointed out that new internet connections will connect through the VPN tunnel, but connections that are running when the user connects to the VPN server will remain outside the tunnel.

This VPN bypass vulnerability does not have a CVE identifier, but it has been assigned a CVSS score of 5.2, which puts it in the medium severity category.

Until Apple releases a patch, Proton has proposed a workaround, which involves enabling airplane mode on the device — this will kill all internet connections — after connecting to a ProtonVPN server. Once airplane mode is turned off, the device should reconnect to the VPN server and all traffic should be protected.

Apple also recommends use of its Always-on VPN feature, which forces applications to connect only through a VPN. However, this feature is only available to organizations — it requires the use of a device management service — and it only works with certain types of VPNs.

SecurityWeek has reached out to Apple for comment and will update this article if the company responds.

Related: iOS Vulnerabilities Allowed Attackers to Remotely Hack iPhones for Years

Related: Apple Patches Tens of Vulnerabilities in iOS, macOS Catalina

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...