iOS Still Has Unpatched VPN-Related Issue 2 Years After Disclosure; iPhone Users' Data at Risk: Researcher

Researcher says iOS bug does not hide existing Internet connections once VPN is enabled.

By Sourabh Kulesh | Updated: 19 August 2022 14:11 IST

iOS Still Has Unpatched VPN-Related Issue 2 Years After Disclosure; iPhone Users' Data at Risk: Researcher

Photo Credit: Justin Sullivan/ Getty Images North America/ AFP

VPN apps provide a cloak to your online activity

Highlights

The issue was first reported by ProtonVPN in 2020
Apple has provided an optional solution for this
Apple has yet to issue a response on this

VPNs on iOS are leaking user data due to an issue that was first disclosed to Apple privately about 2 years ago, a researcher has claimed. As per the issue, the unpatched security vulnerability does not let an iOS handset fully route all network traffic through VPN apps as it is expected to be and some data leaves the device outside of the VPN tunnel. This flaw was first disclosed to Apple by ProtonVPN in 2020, however, the researcher has said that the Cupertino-based company hasn't plugged the vulnerability yet.

Researcher Michael Horowitz claimed in a blog post that VPN apps on iOS appear to work fine at first i.e., “the iOS device gets a new public IP address and new DNS servers” like the way it should. The data is sent to the VPN server but the researcher says that a detailed inspection of data leaving the iOS device shows that the VPN tunnel leaks. “Data leaves the iOS device outside of the VPN tunnel. This is not a classic/legacy DNS leak, it is a data leak,” Horowitz added.

A VPN is used to encrypt traffic. Once enabled, it will give the device a new IP address, DNS servers, and a tunnel for new traffic by closing existing Internet connections as well as re-establishing them through the VPN tunnel. However, the bug in iOS restricts the operating system from hiding all existing Internet connections and/or “leaking” data outside the VPN tunnel bringing some major security concerns.

Apple Releases iOS 15.6.1, macOS Monterey 12.5.1 to Fix Security Bugs

In order to better understand, consider a movie-like scenario in which you are driving a red car and anyone can track you by following you on a helicopter. When you enter a tunnel, the helicopter cannot see you from above and you come outside driving a white car which serves as a cloak for your identity. But if there is a flaw in that cloak that gives away the information, it could allow the trackers to identify it is you. Apple has yet to issue a response on the issue, and we've reached out for comment.

The researcher also claims that he confirmed this data leak using multiple types of VPN and software from multiple VPN providers. He tested it on the latest version of iOS (iOS 15.6). The issue was first publicly reported by ProtonVPN in 2020 and at that time iPhone models were running iOS v13. As per a report, Apple has not yet fully fixed the problem and has provided a solution to this.

Ars Technica cited Proton founder and CEO Andy Yen as saying, “The fact that this is still an issue is disappointing to say the least. We first notified Apple privately of this issue two years ago. Apple declined to fix the issue, which is why we disclosed the vulnerability to protect the public. Millions of people's security is in Apple's hands, they are the only ones who can fix the issue, but given the lack of action for the past two years, we are not very optimistic Apple will do the right thing.”

Missed Apple's WWDC 2022? We discuss every major announcement on Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.

Affiliate links may be automatically generated - see our ethics statement for details.

Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.