Apple is touted as one of the more security-conscious Silicon Valley companies, at least by its user base. While this is somewhat true, no company is immune to bugs. This is being proven by a rather unique vulnerability that, instead of allowing something like remote code execution or other typical bug exploits, affects Apple iOS VPN connections.
In a vulnerability report posted by the Swiss company ProtonVPN, it is shown how a rather severe issue is making secure VPN connections impossible:
A member of the Proton community discovered that in iOS version 13.3.1, the operating system does not close existing connections. (The issue also persists in the latest version, 13.4.)… one prominent example is Apple’s push notification service, which maintains a long-running connection between the device and Apple’s servers. But the problem could impact any app or service, such as instant messaging applications or web beacons.
As ProtonVPN astutely notes, there are two major issues that put users, especially those who are trying to escape surveillance, at risk. The bypass vulnerability can allow the data transmitted over the broken connection to be intercepted by bad actors (assuming the connections are not also encrypted). The Apple VPN vulnerability more likely, however, is IP leaks. This will allow a malicious individual to see not only the user’s true IP address (therefore gaining their location) but also the IP of all the servers that are being accessed. ProtonVPN verified this by capturing network data with Wireshark.
What is problematic about this vulnerability is that Apple has to be the one to fix it. What is meant by this, is that there is no workaround that any VPN company can use. The reason, as ProtonVPN states, “iOS does not permit a VPN app to kill existing network connections.” If Apple wants to protect its reputation, it needs to patch this ASAP or risk losing customers. Comments on the article showed extreme displeasure with the company, and while this is a small sample size of users, the sentiment is likely shared by privacy-minded Apple consumers.
Until this Apple VPN vulnerability is fixed, keep activity on your iOS to a minimum. Actually, everyone should consider using the Tor browser and, if you have sensitive business to conduct, use it for now.
Featured image: Flickr/Richard Patterson