VPNs running on iPhones leak traffic, according to researcher
iOS VPNs have allegedly leaked data since 2020By Daniel Sims 18 comments
Facepalm: Many users rely on VPNs to keep their connections secure and private, and a significant chunk of those connections likely come from iPhones and iPads. It should be of significant concern then if no VPNs work as advertised on Apple's operating system.
This week, a security researcher and blogger reiterated his claims that all VPNs on iOS are broken. According to researcher Michael Horowitz and ProtonVPN, every VPN on iOS has been leaking data for at least the past two years.
The core of the problem is that when a user activates a VPN on an iPhone or iPad, the device won't first terminate all internet connections before restarting them within the VPN tunnel. Because of this behavior, while the VPN may route some connections through its servers to hide a user's real IP address, connections outside the tunnel could leak a device's IP address or other data.
ProtonVPN publicized the issue and reported it to Apple in 2020, but Horowitz's recent tests show that it remains unresolved in the latest versions of iOS and iPadOS (15.6). Horowitz found that the problem affects ProtonVPN, WireGuard, Windscribe, and others, showing that the vulnerability lies with iOS itself. Apple and Proton have suggested a few workarounds, but Horowitz's tests show that likely none are foolproof.
One solution is to use Apple's Always-on VPN feature, which ensures the VPN tunnel is always active before outside connections can start. However, this requires deploying device management – a complex process that isn't accessible to most users.
In late 2020, Apple added the ability for iOS VPNs to incorporate a kill switch to stop all connections when a VPN fails. However, Horowitz's tests still showed non-VPN connections getting through after enabling the feature.
Proton suggested turning on airplane mode after activating a VPN to shut off all of a device's connections, then switching off airplane mode with the VPN still engaged which should restart connections inside the tunnel. Airplane mode, however, might not stop all prior connections, as users can control Wi-Fi settings independent of it, possibly confusing the process.
Ultimately, Horowitz advises against trusting any VPN on Apple iOS devices. Instead, users may want to operate a VPN from the router to protect the entire network if individual devices leak data. A secondary router dedicated to VPN connections is ideal.