An unpatched Apple iOS bug could expose data

There is a currently unpatched security vulnerability that is affecting iOS 13.3.1 or later. The bug prevents virtual private networks (VPNs) from encrypting all traffic and can lead to some internet connections bypassing VPN encryption to expose the data of users, or to leak their IP addresses.

Connections made after connecting to a VPN on your iOS device are not affected by this bug, but all previously established connections will remain outside the VPN’s secure tunnel.

This vulnerability is due to Apple’s iOS not terminating all existing internet connections when the user connects to a VPN. The iOS should have users automatically reconnect to the destinations servers after the VPN tunnel is established.

Virtual private network service provider, ProtonVPN, was the company that disclosed the vulnerability. They have stated that, “most connections are short-lived and will eventually be re-established through the VPN tunnel on their own. However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel.”

It’s during the times that the connections are outside of the VPN secure communication channels that can lead to serious consequences.

The issue is two-fold, as user data could be exposed to third parties if connections are not encrypting themselves, and IP address leaks could potentially reveal the users’ location or expose them, along with destination servers, to attacks.

In the ProtonVPN report, they state that Apple’s push notifications are a good example of a process using connections to Apple servers that won’t be closed automatically. Unfortunately, this bug can affect any service or app running on the user’s iOS device, from web beacons all the way to instant messaging applications.

It is not possible to use any VPN apps to kill existing network connections, as the iOS does not permit any VPN apps to do so.

Apple has acknowledged the VPN bypass vulnerability, thanks to ProtonVPN’s report, and they are currently looking into options on how to fully mitigate the issue.

For now, Apple recommends using Always-on VPN to mitigate the problem. However, this workaround uses device management, so it cannot be used to mitigate the vulnerability for third-party VPN apps.

If you are using a third-party VPN, ProtonVPN recommends that you turn on airplane mode after connecting to a VPN server. Then, turn off airplane mode. The VPN will reconnect and your other connections should reconnect inside the VPN tunnel.

While this in not a 100% reliable fix, it does provide an option that allows for the continued use of VPNs until a patch can be developed and implemented.

As always, if we can be of help with your network or computer, give us a call here at RHYNO Networks. (855) 749-6648