Bug in iOS version 13.4 may bypass VPN encryption

[German]A bug in the freshly released iOS 13.4 can prevent all traffic from VPN connections from being properly encrypted. VPN provider Proton has just disclosed this.


Apple just released iOS and iPadOS version 13.4. Now the first serious bug in the form of a vulnerability is already known. In this article the VPN provider Proton describes the details. It looks at third-party software and operating systems with regard to vulnerabilities that could endanger the VPN connections. Normally, such vulnerabilities are not disclosed until 90 days after discovery. However, due to the severity of the vulnerability discovered, Proton has decided to publish the details immediately.

The iOS VPN Bypass Vulnerability

When a connection to a virtual private network (VPN) is established, the device's operating system usually closes all existing Internet connections for security reasons and then re-establishes them via the VPN tunnel. However, a member of the Proton community had already noticed in iOS version 13.3.1 that the operating system does not close existing connections. The problem also exists in the latest iOS/iPadOS version 13.4.

Most connections are short-lived and are eventually restored by themselves through the VPN tunnel. However, some are long-lasting and can remain open outside the VPN tunnel for minutes to hours. A prominent example is Apple's Push Notification Service, which maintains a long-term connection between the device and Apple's servers. However, the problem could affect any application or service, such as instant messaging applications or Web beacons.

This VPN bypass vulnerability could cause users' data to be exposed if the affected connections are not encrypted. However, the more common problem is IP leaks. An attacker could see the IP addresses of users and the IP addresses of the servers they connect to. In addition, the server that users connect to might see their true IP address and not that of the VPN server.

Neither ProtonVPN nor any other VPN service can work around this problem, because iOS does not allow a VPN application to terminate existing network connections. All that remains is to wait for a patch from Apple. More details can be found in this article by the VPN provider Proton, as well as at Bleeping Computer. 


Cookies helps to fund this blog: Cookie settings

This entry was posted in ios, issue, Security and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *