Apple's New iOS 13.4 Release Still Has A Bug That Prevents VPNs From Encrypting All Traffic
iPhone users should be aware that there is an unpatched security vulnerability that impacts iOS 13.3.1 and later versions of the operating system (including the newly released iOS 13.4). This unpatched security vulnerability prevents VPN networks from encrypting all traffic and can cause some Internet connections to bypass VPN encryption exposing the user's data or IP address. Connections that are made after connecting to a VPN on the iOS device are unaffected by the bug, but previously established connections bypass the VPN secure tunnel.
The security vulnerability was discovered by a security consultant that is part of the Proton community, and ProtonVPN disclosed the issue. ProtonVPN said that it wanted to make users and other VPN providers aware of the security issue on iOS. The company said that while most VPN connections are short-lived, some are long-lasting and can remain open for minutes to hours outside of the VPN tunnel.
The issue for users is while the connections are open outside the VPN secure channel, user data could be exposed to third-parties. The issue could also potentially leak the IP address of the user, revealing their location or exposing destination servers to attack. When using a VPN, the user should only see traffic being exchanged between their devices. Since previously open connections are being terminated before the VPN connects, the VPN servers, local IP addresses, and other IP addresses will show up.
ProtonVPN says that push notifications from Apple are a good example of processes using connections to Apple servers that aren't closed automatically. The company says that the bug can affect any service or app running on the user's iOS device, including web beacons and messaging applications. The company also notes that no VPN provider can provide users with a fix for the issue because iOS doesn't permit a VPN app to kill existing connections.
ProtonVPN says that it notified Apple last year and is now warning users so they can stay safe. Apple has acknowledged the VPN bypass issue and is researching options to mitigate it. The current workaround provided by ProtonVPN is to connect to the VPN server, turn on airplane mode, and then turn off airplane mode. That will reestablish the VPN, and all connections will reconnect inside the VPN tunnel, but the company warns the workaround isn't 100 percent reliable.