An unpatched security vulnerability has been reported in recent iOS releases that prevents virtual private networks (VPNs) from being able to encrypt user traffic. The bug, which reportedly exists even in the latest iOS 13.4 update, could expose the personal data of users or provide their IP address details to attackers by bypassing the default VPN encryption. Apple hasn't provided any clarity on its fix, though you can expect an update to your iOS device in the coming days that would patch the security loophole.
Discovered initially by a security consultant of the Proton community, the VPN bypass vulnerability has affected iOS 13.3.1 and later versions, including iOS 13.4 that was rolled out just earlier this week. ProtonVPN has disclosed the issue through a blog post to make all VPN providers and end users aware of its scope.
A VPN is generally used to encrypt traffic, and once you enable a VPN on your device, its operating system typically closes existing Internet connections and re-establishes them through the VPN tunnel. However, the bug discovered in the recent iOS releases restricts the operating system from closing all existing Internet connections.
Although most Internet connections are short-lived and are likely to be re-established through the VPN tunnel, some are long-lasting and can remain active for even hours outside the tunnel. Apple's push notification service is one such example that maintains a long-running connect between the device and Apple's servers. This brings some major security concerns.
“The VPN bypass vulnerability could result in users' data being exposed if the affected connections are not encrypted themselves (though this would be unusual nowadays). The more common problem is IP leaks. An attacker could see the users' IP address and the IP address of the servers they're connecting to,” the ProtonVPN team writes in the blog post explaining the bug.
The team also underlines that users in countries where surveillance and civil rights abuses are common are at highest risk due to the security flaw. Moreover, VPN service providers can't provide a workaround from their end to fix the loophole since it exists at the operating system level.
That being said, affected iOS users can mitigate the VPN bypass vulnerability on their devices by turning on and off the airplane mode after connecting to a VPN service. This is likely to re-establish connectivity with existing Internet connections through the VPN tunnel.
Apple is already aware of the flaw and is expected to update iOS with a fix soon. Meanwhile, you can apply the airplane mode workaround to limit the problem to some extent. The iPhone maker also recommends its users to opt for the Always-on VPN method that requires device management software to encrypt all traffic through a VPN service.
Since iPadOS is also built on iOS, it would also have the same VPN bypass flaw and would be able to encrypt user traffic through the aforementioned workarounds.