iOS VPN vulnerability leaves user network traffic exposed

The folks over at ProtonVPN have discovered a vulnerability in iOS 13.4 (exists since 13.3.1) which will prevent VPN’s from encrypting all traffic that is going through the user’s iPhone, causing some internet connections to bypass the VPN server and thus possibly exposing the user to data leaks and attacks.

ProtonVPN is a popular VPN service and a member in their community first discovered the bug and reported it. ProtonVPN had submitted the bug to Apple, who then acknowledged it. The reason for the bug lies in the way iOS deals with reconnections. Once a VPN tunnel is established, iOS is supposed to reroute and reconnect all existing connection through the tunnel, but it doesn’t do so. It leaves behind the old connection as it is and only re-routes new connections through the VPN tunnel.

Typically connections only last for a few seconds, but some connections may last for minutes or hours. A good example given by ProtonVPN is push notifications, whose connections to Apple servers won’t close automatically. During this time, a user’s IP address and other data can be intercepted.

Apple has promised a fix in an upcoming software update, but in the meantime, ProtonVPN has suggested a way to increase your chances of protecting yourself from the bug. They recommend to:

  1. Connect to any ProtonVPN server.
  2. Turn on airplane mode. This will kill all Internet connections and temporarily disconnect ProtonVPN.
  3. Turn off airplane mode. ProtonVPN will reconnect, and your other connections should also reconnect inside the VPN tunnel

To read about ProtonVPN’s detail post about the bug, click here.