All Apple devices running the latest iOS 13.4 are vulnerable to an unfixed bug that prevents VPN apps from encrypting network traffic. It means that a large number of iPhones and iPads (running iOS v13.3.1 or later) using any third-party VPN tool could be exposing their real IP address and network traffic publicly. A ProtonVPN security consultant first discovered this issue, and he rated it with a CVSS v3.1 score of 5.3, so it’s categorized as “medium.” The disclosure comes now, 90 days after it has been reported to Apple, but there’s no fix out yet.
Last year, we discovered a vulnerability in iOS that causes connections to bypass VPN encryption. This is a bug in iOS that impacts all VPNs. We have informed Apple, and we are now sharing details so you can stay safe. https://t.co/78v3Brispm
— Proton VPN (@ProtonVPN) March 25, 2020
The problem lies in how iOS is handling the internet connections, as none of them are reset when users connect to a VPN. With the existing connections not being terminated, there’s a good chance that the network traffic won’t pass through the VPN tunnel, even though the link with the VPN server has been successfully established. Some connections last for only a few minutes, but some may go for hours before getting reset. It means that you may have created a connection with a VPN server hours ago, but you may be leaking your IP and browsing data out there.
The worst part of this flaw is that, while VPNs know about the problem, the iOS isn’t allowing the applications to reset the existing network connections. Thus, there can be no fix coming from the vendors of the VPN apps. Apple suggests that users should deploy “Always-on VPN,” but this wouldn’t solve the problem on third-party VPN apps. The only temporary workaround right now is the following:
However, you should keep in mind that even the approach above is not 100% reliable. Some internet reconnections may persist outside the VPN tunnel, rebounding directly from their pre-airplane mode activation state. Unfortunately, due to the nature of this bug, there’s no way to tell if the workaround has helped you or not unless you use a network packet traffic analyzer like Wireshark. If you only see traffic between the device IP and the VPN server on Wireshark, it means you’re protected.