Unpatched Bug in Recent iOS Versions Keeps VPN From Encrypting All Traffic

The bug restricts affected iOS versions from closing all existing Internet connections.

Share on Facebook Tweet Snapchat Share Reddit Comment
Unpatched Bug in Recent iOS Versions Keeps VPN From Encrypting All Traffic

Photo Credit: Justin Sullivan/ Getty Images North America/ AFP

Apple is yet to release a fix for the security vulnerability, though a couple of workarounds do exist

Highlights
  • iOS 13.4 users are amongst the ones at risk due to the flaw
  • A security consultant of the Proton community reported its existence
  • iOS users can turn on and off airplane mode to manually fix the problem

An unpatched security vulnerability has been reported in recent iOS releases that prevents virtual private networks (VPNs) from being able to encrypt user traffic. The bug, which reportedly exists even in the latest iOS 13.4 update, could expose the personal data of users or provide their IP address details to attackers by bypassing the default VPN encryption. Apple hasn't provided any clarity on its fix, though you can expect an update to your iOS device in the coming days that would patch the security loophole.

Discovered initially by a security consultant of the Proton community, the VPN bypass vulnerability has affected iOS 13.3.1 and later versions, including iOS 13.4 that was rolled out just earlier this week. ProtonVPN has disclosed the issue through a blog post to make all VPN providers and end users aware of its scope.

A VPN is generally used to encrypt traffic, and once you enable a VPN on your device, its operating system typically closes existing Internet connections and re-establishes them through the VPN tunnel. However, the bug discovered in the recent iOS releases restricts the operating system from closing all existing Internet connections.

Although most Internet connections are short-lived and are likely to be re-established through the VPN tunnel, some are long-lasting and can remain active for even hours outside the tunnel. Apple's push notification service is one such example that maintains a long-running connect between the device and Apple's servers. This brings some major security concerns.

“The VPN bypass vulnerability could result in users' data being exposed if the affected connections are not encrypted themselves (though this would be unusual nowadays). The more common problem is IP leaks. An attacker could see the users' IP address and the IP address of the servers they're connecting to,” the ProtonVPN team writes in the blog post explaining the bug.

The team also underlines that users in countries where surveillance and civil rights abuses are common are at highest risk due to the security flaw. Moreover, VPN service providers can't provide a workaround from their end to fix the loophole since it exists at the operating system level.

That being said, affected iOS users can mitigate the VPN bypass vulnerability on their devices by turning on and off the airplane mode after connecting to a VPN service. This is likely to re-establish connectivity with existing Internet connections through the VPN tunnel.

Apple is already aware of the flaw and is expected to update iOS with a fix soon. Meanwhile, you can apply the airplane mode workaround to limit the problem to some extent. The iPhone maker also recommends its users to opt for the Always-on VPN method that requires device management software to encrypt all traffic through a VPN service.

Since iPadOS is also built on iOS, it would also have the same VPN bypass flaw and would be able to encrypt user traffic through the aforementioned workarounds.

Comments

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel.

Jagmeet Singh Jagmeet Singh writes about consumer technology for Gadgets 360, out of New Delhi. Jagmeet is a senior reporter for Gadgets 360, and has frequently written about apps, computer security, Internet services, and telecom developments. Jagmeet is available on Twitter at @JagmeetS13 or Email at jagmeets@ndtv.com. Please send in your leads and tips. More
Call of Duty: Mobile Season 4 Will Go Live in April, Brings New Modes and Improvements
2020 Tokyo Olympics Delay Deals Setback to Samsung's Plans to Win Over Japan Market

Related Stories

 
 

Advertisement

Advertisement

© Copyright Red Pixels Ventures Limited 2020. All rights reserved.
Listen to the latest songs, only on JioSaavn.com