• Home
  • Mobiles
  • Mobiles News
  • iOS Still Has Unpatched VPN Related Issue 2 Years After Disclosure; iPhone Users' Data at Risk: Researcher

iOS Still Has Unpatched VPN-Related Issue 2 Years After Disclosure; iPhone Users' Data at Risk: Researcher

Researcher says iOS bug does not hide existing Internet connections once VPN is enabled.

iOS Still Has Unpatched VPN-Related Issue 2 Years After Disclosure; iPhone Users' Data at Risk: Researcher

Photo Credit: Justin Sullivan/ Getty Images North America/ AFP

VPN apps provide a cloak to your online activity

  • The issue was first reported by ProtonVPN in 2020
  • Apple has provided an optional solution for this
  • Apple has yet to issue a response on this

VPNs on iOS are leaking user data due to an issue that was first disclosed to Apple privately about 2 years ago, a researcher has claimed. As per the issue, the unpatched security vulnerability does not let an iOS handset fully route all network traffic through VPN apps as it is expected to be and some data leaves the device outside of the VPN tunnel. This flaw was first disclosed to Apple by ProtonVPN in 2020, however, the researcher has said that the Cupertino-based company hasn't plugged the vulnerability yet.

Researcher Michael Horowitz claimed in a blog post that VPN apps on iOS appear to work fine at first i.e., “the iOS device gets a new public IP address and new DNS servers” like the way it should. The data is sent to the VPN server but the researcher says that a detailed inspection of data leaving the iOS device shows that the VPN tunnel leaks. “Data leaves the iOS device outside of the VPN tunnel. This is not a classic/legacy DNS leak, it is a data leak,” Horowitz added.

A VPN is used to encrypt traffic. Once enabled, it will give the device a new IP address, DNS servers, and a tunnel for new traffic by closing existing Internet connections as well as re-establishing them through the VPN tunnel. However, the bug in iOS restricts the operating system from hiding all existing Internet connections and/or “leaking” data outside the VPN tunnel bringing some major security concerns.

In order to better understand, consider a movie-like scenario in which you are driving a red car and anyone can track you by following you on a helicopter. When you enter a tunnel, the helicopter cannot see you from above and you come outside driving a white car which serves as a cloak for your identity. But if there is a flaw in that cloak that gives away the information, it could allow the trackers to identify it is you. Apple has yet to issue a response on the issue, and we've reached out for comment.

The researcher also claims that he confirmed this data leak using multiple types of VPN and software from multiple VPN providers. He tested it on the latest version of iOS (iOS 15.6). The issue was first publicly reported by ProtonVPN in 2020 and at that time iPhone models were running iOS v13. As per a report, Apple has not yet fully fixed the problem and has provided a solution to this.

Ars Technica cited Proton founder and CEO Andy Yen as saying, “The fact that this is still an issue is disappointing to say the least. We first notified Apple privately of this issue two years ago. Apple declined to fix the issue, which is why we disclosed the vulnerability to protect the public. Millions of people's security is in Apple's hands, they are the only ones who can fix the issue, but given the lack of action for the past two years, we are not very optimistic Apple will do the right thing.”

Missed Apple's WWDC 2022? We discuss every major announcement on Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.
Affiliate links may be automatically generated - see our ethics statement for details.

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel.

Further reading: iOS, VPN bypass vulnerability, Apple
Sourabh Kulesh
Sourabh Kulesh is a Chief Sub Editor at Gadgets 360. He has worked in a national daily newspaper, a news agency, a magazine and now writing technology news online. He has knowledge on a wide gamut of topics related to cybersecurity, enterprise and consumer technology. Write to sourabhk@ndtv.com or get in touch on Twitter through his handle @KuleshSourabh. More
Vivo Y22s With Snapdragon 680 SoC, 5,000mAh Battery Listed on Company Website Ahead of Launch
Share on Facebook Tweet Snapchat Share Reddit Comment google-newsGoogle News


Follow Us


© Copyright Red Pixels Ventures Limited 2022. All rights reserved.