VPNs running on iPhones leak traffic, according to researcher

Daniel Sims

Posts: 586   +21
Staff
Facepalm: Many users rely on VPNs to keep their connections secure and private, and a significant chunk of those connections likely come from iPhones and iPads. It should be of significant concern then if no VPNs work as advertised on Apple's operating system.

This week, a security researcher and blogger reiterated his claims that all VPNs on iOS are broken. According to researcher Michael Horowitz and ProtonVPN, every VPN on iOS has been leaking data for at least the past two years.

The core of the problem is that when a user activates a VPN on an iPhone or iPad, the device won't first terminate all internet connections before restarting them within the VPN tunnel. Because of this behavior, while the VPN may route some connections through its servers to hide a user's real IP address, connections outside the tunnel could leak a device's IP address or other data.

ProtonVPN publicized the issue and reported it to Apple in 2020, but Horowitz's recent tests show that it remains unresolved in the latest versions of iOS and iPadOS (15.6). Horowitz found that the problem affects ProtonVPN, WireGuard, Windscribe, and others, showing that the vulnerability lies with iOS itself. Apple and Proton have suggested a few workarounds, but Horowitz's tests show that likely none are foolproof.

One solution is to use Apple's Always-on VPN feature, which ensures the VPN tunnel is always active before outside connections can start. However, this requires deploying device management – a complex process that isn't accessible to most users.

In late 2020, Apple added the ability for iOS VPNs to incorporate a kill switch to stop all connections when a VPN fails. However, Horowitz's tests still showed non-VPN connections getting through after enabling the feature.

Proton suggested turning on airplane mode after activating a VPN to shut off all of a device's connections, then switching off airplane mode with the VPN still engaged which should restart connections inside the tunnel. Airplane mode, however, might not stop all prior connections, as users can control Wi-Fi settings independent of it, possibly confusing the process.

Ultimately, Horowitz advises against trusting any VPN on Apple iOS devices. Instead, users may want to operate a VPN from the router to protect the entire network if individual devices leak data. A secondary router dedicated to VPN connections is ideal.

Permalink to story.

 

psycros

Posts: 4,335   +6,334
This is a massive flaw and privacy risk. This would have landed many Apple users in hot soup who thought they were protected. Shocking to see that the world's richest company is unable to resolve a simple yet important issue like this after two years.

Its funny that the company that monitors and sells ALL your online activity is also the one that will let a VPN actually protect you from everyone *but* Google itself.
 

terzaerian

Posts: 1,488   +2,199
Ultimately, Horowitz advises against trusting any VPN on Apple iOS devices. Instead, users may want to operate a VPN from the router to protect the entire network if individual devices leak data. A secondary router dedicated to VPN connections is ideal.
Which is stupid because one of the applications of a VPN is masking your traffic when you're on a public wifi network. Not to mention that operating a VPN on the router level is probably going to lead to confusion when a website refuses a connection because of your VPN, or in the case of ProtonVPN, a feature of the VPN blocks a website. This is hard enough to work out when you're just talking about debugging it on the device running the VPN as an application.

tl;dr Go to hell, Apple
 

Darth Shiv

Posts: 2,307   +845
I don't understand what is so hard to dynamically re-route ALL traffic via the VPN when the VPN comes live. This seems braindead obvious networking 101. How *bad* must the implementation be to not make this easy? VPNs have been around for a lot longer than iOS.
 

Endymio

Posts: 1,821   +1,889
People should spend more time thinking about claims in articles, rather than simply reacting to them. Yes, this so-called "exploit" can leak your IP address -- but only over a connection established before you activated the VPN, which means the server in question already has your real IP address anyway. Stultus emptor.

 

terzaerian

Posts: 1,488   +2,199
People should spend more time thinking about claims in articles, rather than simply reacting to them. Yes, this so-called "exploit" can leak your IP address -- but only over a connection established before you activated the VPN, which means the server in question already has your real IP address anyway. Stultus emptor.
Which would indeed be pretty dumb of the user to do, had I not, per your instructions, actually read the article and thought it through:
One solution is to use Apple's Always-on VPN feature, which ensures the VPN tunnel is always active before outside connections can start. However, this requires deploying device management – a complex process that isn't accessible to most users.
So clearly keeping your VPN always-on on an iDevice is not something you can normally do, so activating a VPN after the fact is the "default" option available to Apple users. Tace.
 

Darth Shiv

Posts: 2,307   +845
People should spend more time thinking about claims in articles, rather than simply reacting to them. Yes, this so-called "exploit" can leak your IP address -- but only over a connection established before you activated the VPN, which means the server in question already has your real IP address anyway. Stultus emptor.
The SERVER does but not other clients who can snoop on the hops. You are exposing that connection ad infinitum which increases risk exposure duration.

E.g. what if you are on home WiFi then walk out of home and go to public WiFi or onto your 4G? Our devices are literally on 24x7 nowadays. Your home endpoint obviously is a far lesser risk vector than the other two.

Honestly it's amazing how Apple of all companies is so amateur in handling this scenario. Staggering.
 

Endymio

Posts: 1,821   +1,889
The SERVER does but not other clients who can snoop on the hops. You are exposing that connection ad infinitum which increases risk exposure duration.

E.g. what if you are on home WiFi then walk out of home and go to public WiFi
I'm sorry, but in that scenario, your IP will change, which means the TCP connection drops. When it's reestablished, it's done through VPN. No leakage.
 

Old Molases

Posts: 210   +41
So this means no matter what provider you were using be it Express, Nord, Ivacy VPN etc, you were data was being compromised?
 

Darth Shiv

Posts: 2,307   +845
Err, if you waited until *after* you left to start VPN, then your IP will be leaked regardless of this issue or not.
Technically yes. That doesn't make it not valuable to fix that right? Your exposure duration is also important. And your continued movement to higher risk settings like gen public.
 

Endymio

Posts: 1,821   +1,889
Technically yes.
Technically comprising your data is like being technically pregnant.

This issue doesn't leak any data that wasn't otherwise exposed. It increases slightly the time window, if you've already exposed it only. Yes there's some value in correcting that ... but casting this as a crucial vulnerability is silly.
 

Darth Shiv

Posts: 2,307   +845
Technically comprising your data is like being technically pregnant.

This issue doesn't leak any data that wasn't otherwise exposed. It increases slightly the time window, if you've already exposed it only. Yes there's some value in correcting that ... but casting this as a crucial vulnerability is silly.
As I said. Exposure risk has a high correlation to location as well. There are VERY few risks at your front door. There are PLENTY of risks in a shopping centre or public space. If you walk out the door, how many malicious attackers are waiting for you to leave home vs how many are compromising a pool of victims in a public space? The latter is clearly the vast vast vast majority. Which makes it hugely more valuable to fix the issue properly not rug sweep or minimise the significance.

Shades of grey. Clearly you don't get it.
 

Endymio

Posts: 1,821   +1,889
There are VERY few risks at your front door. There are PLENTY of risks in a shopping centre or public space. If you walk out the door, how many malicious attackers are waiting for you to leave home...
Err, you're not getting it. If you started the VPN at your front door, then before you arrive at the shopping center, all connections would have dropped and restarted. No exposure. And if you waited until you were already there to start the VPN, then you're exposed regardless, with or without this so-called "exploit".

In neither case has this exposed data that wasn't already exposed.
 

Darth Shiv

Posts: 2,307   +845
Err, you're not getting it. If you started the VPN at your front door, then before you arrive at the shopping center, all connections would have dropped and restarted. No exposure. And if you waited until you were already there to start the VPN, then you're exposed regardless, with or without this so-called "exploit".

In neither case has this exposed data that wasn't already exposed.
Explain to me why moving from home WiFi to 4G is possible to drop connections but moving from 4G or WiFi to VPN active is not? There's not a good reason.
 

Endymio

Posts: 1,821   +1,889
Explain to me why moving from home WiFi to 4G is possible to drop connections but moving from 4G or WiFi to VPN active is not? There's not a good reason.
It's really not that complicated. When you change networks, your IP will change, and the connections terminate. But when you start VPN, you're getting a second network. For best security, any existing connections at that point are generally terminated and restarted through the VPN tunnel -- but that's a software decision, not a physical requirement.

Under iOS, that restart apparently doesn't happen -- but if you change networks, it has no choice but to do so.