Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

No Patch for VPN Bypass Flaw Discovered in iOS

Proton Technologies, the company behind the privacy-focused ProtonMail and ProtonVPN services, this week disclosed the existence of a vulnerability in Apple’s iOS mobile operating system that prevents VPN applications from encrypting all traffic.

Proton Technologies, the company behind the privacy-focused ProtonMail and ProtonVPN services, this week disclosed the existence of a vulnerability in Apple’s iOS mobile operating system that prevents VPN applications from encrypting all traffic.

The flaw was discovered by a member of the Proton community in iOS 13.3.1, but Apple has yet to release a patch and the issue impacts even the latest version, 13.4.

Apple is reportedly working on a fix, but Proton says it has disclosed the bug because it believes its community and other VPN services providers should be aware of its existence.

When a VPN is used, the device’s operating system should close all existing internet connections and reestablish them through a VPN tunnel to protect the user’s data and privacy. However, iOS apparently fails to close existing connections, which results in traffic remaining unprotected.

“Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own. However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel,” Proton explained in a blog post.

“One prominent example is Apple’s push notification service, which maintains a long-running connection between the device and Apple’s servers. But the problem could impact any app or service, such as instant messaging applications or web beacons,” it added.

While this can expose users’ traffic if their connection is not made over HTTPS, unprotected connections are increasingly rare. However, the bigger problem is that the user’s IP address and the IP of the server they are connecting to remain exposed, and the server will see the user’s real IP instead of the VPN server’s IP.

“Those at highest risk because of this security flaw are people in countries where surveillance and civil rights abuses are common,” Proton explained.

The company pointed out that new internet connections will connect through the VPN tunnel, but connections that are running when the user connects to the VPN server will remain outside the tunnel.

This VPN bypass vulnerability does not have a CVE identifier, but it has been assigned a CVSS score of 5.2, which puts it in the medium severity category.

Until Apple releases a patch, Proton has proposed a workaround, which involves enabling airplane mode on the device — this will kill all internet connections — after connecting to a ProtonVPN server. Once airplane mode is turned off, the device should reconnect to the VPN server and all traffic should be protected.

Apple also recommends use of its Always-on VPN feature, which forces applications to connect only through a VPN. However, this feature is only available to organizations — it requires the use of a device management service — and it only works with certain types of VPNs.

SecurityWeek has reached out to Apple for comment and will update this article if the company responds.

Related: iOS Vulnerabilities Allowed Attackers to Remotely Hack iPhones for Years

Related: Apple Patches Tens of Vulnerabilities in iOS, macOS Catalina

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.