There is a currently unpatched security vulnerability that
is affecting iOS 13.3.1 or later. The bug prevents virtual private networks
(VPNs) from encrypting all traffic and can lead to some internet connections
bypassing VPN encryption to expose the data of users, or to leak their IP
Connections made after connecting to a VPN on your iOS
device are not affected by this bug, but all previously established connections
will remain outside the VPN’s secure tunnel.
This vulnerability is due to Apple’s iOS not terminating
all existing internet connections when the user connects to a VPN. The iOS
should have users automatically reconnect to the destinations servers after the
VPN tunnel is established.
Virtual private network service provider, ProtonVPN, was
the company that disclosed the vulnerability. They have stated that, “most
connections are short-lived and will eventually be re-established through the
VPN tunnel on their own. However, some are long-lasting and can remain open for
minutes to hours outside the VPN tunnel.”
It’s during the times that the connections are outside of
the VPN secure communication channels that can lead to serious consequences.
The issue is two-fold, as user data could be exposed to
third parties if connections are not encrypting themselves, and IP address
leaks could potentially reveal the users’ location or expose them, along with
destination servers, to attacks.
In the ProtonVPN report, they state that Apple’s push
notifications are a good example of a process using connections to Apple
servers that won’t be closed automatically. Unfortunately, this bug can affect
any service or app running on the user’s iOS device, from web beacons all the
way to instant messaging applications.
It is not possible to use any VPN apps to kill existing
network connections, as the iOS does not permit any VPN apps to do so.
Apple has acknowledged the VPN bypass vulnerability, thanks
to ProtonVPN’s report, and they are currently looking into options on how to
fully mitigate the issue.
For now, Apple recommends using Always-on VPN to mitigate
the problem. However, this workaround uses device management, so it cannot be
used to mitigate the vulnerability for third-party VPN apps.
If you are using a third-party VPN, ProtonVPN recommends
that you turn on airplane mode after connecting to a VPN server. Then, turn off
airplane mode. The VPN will reconnect and your other connections should reconnect
inside the VPN tunnel.
While this in not a 100% reliable fix, it does provide an option that allows for the continued use of VPNs until a patch can be developed and implemented.
As always, if we can be of help with your network or computer, give us a call here at RHYNO Networks. (855) 749-6648
RHYNO Networks was designed to meet the needs of the IT marketplace. Specifically, to offer businesses skilled, timely IT services in order for them to focus on their business. We’re dedicated to the principles of Reliability, Innovation and Customer Service.