Apple Unpatched VPN Bypass Bug Impacts iOS 13, Warn Researchers

The vulnerability can be exploited to reveal limited traffic data including a device’s IP address.

An unpatched bug in the latest version of Apple’s iOS is blocking virtual private network (VPN) applications from cloaking some private data transmitted between a device and the servers they are requesting data from. While the bug remains unpatched, Apple is suggesting steps users can take to reduce risk, researchers state.

The bug, outlined in a report by ProtonVPN, impacts Apple’s most recent iOS 13.4. The flaw is tied to the way VPN security software loads on iOS devices. Post launch, VPN software is supposed to terminates all internet traffic and reestablishes connections as encrypted and protected. Researchers said the Apple VPN bypass bug in iOS fails to terminate all existing connections and leaves a limited amount of data unprotected, such as a device’s IP address, exposing it for a limited window of time.

“Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own. However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel,” researchers explained in a technical analysis of the flaw.

The bug remains unpatched at a critical time when many are using VPNs under work-at-home and stay-at-home restrictions imposed due to the Covid-19 pandemic.

“An attacker could see the users’ IP address and the IP address of the servers they’re connecting to,” according to the post. “Additionally, the server you connect to would be able to see your true IP address rather than that of the VPN server.”

According to researchers, Apple said users can enable Always-on VPN to mitigate the issue, a method that requires using device management, according to a post by the company. This means it doesn’t mitigate the issue for third-party VPNs people might be using with their devices, however, researchers said.

To be clear, the flaw’s impact is limited. iOS apps are required to use App Transport Security which protect transmitted data via HTTPS. That said, researchers warn the VPN bypass bug’s biggest threat is potentially revealing a device’s IP address. That data, associated with internet usage, can allow a third party to collect user metadata. A user’s long tail of digital metadata can be used to exploit them or give overbearing governments insights into otherwise private internet activities.

Researchers add, the bug can also unpredictably impact other iOS communications. “One prominent example is Apple’s push notification service, which maintains a long-running connection between the device and Apple’s servers. But the problem could impact any app or service, such as instant messaging applications or web beacons,” researchers wrote.

Typically Proton would wait 90 days before exposing a flaw in third-party software through its responsible disclosure program. However, researchers thought it prudent to make an exception in this case and alert its own VPN users to the vulnerability.

Apple this week already released a slew of patches in a security update across its iOS and macOS systems as well as for its Safari browser, watchOS, tvOS and iTunes. However, a patch for the VPN bypass flaw was not one of them, though the company did repair a serious flaw in the WebKit for iOS and Safari that could enable remote code execution.

In the meantime, ProtonVPN offered some practical advice for mitigating the iOS VPN bypass vulnerability while it remains unpatched.

One option for users is to connect to their third-party VPN, turn on airplane mode to kill all Internet connections and temporarily disconnect the VPN, and then turn it off again. This should allow for VPN reconnection as well as other connections to come back online through the VPN tunnel, according to the post.

However, ProtonVPN researchers acknowledged that “we cannot guarantee this 100 percent.”
Do you suffer from Password Fatigue? On Wednesday April 8 at 2 p.m. ET join Duo Security and Threatpost as we explore a passwordless future. This FREE webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We’ll also explore how teaming with Microsoft can reduced reliance on passwords. Please register here and dare to ask, “Are passwords overrated?” in this sponsored webinar.

Suggested articles