Skip links

Two years on, Apple iOS VPNs still leak IP addresses

Apple has left a VPN bypass vulnerability in iOS unfixed for at least two years, leaving identifying IP traffic data exposed, and there’s no sign of a fix.

Back in early 2020, secure mail provider ProtonMail reported a flaw in Apple’s iOS version 13.3.1 that prevented VPNs from encrypting all traffic. The issue was that the operating system failed to close existing connections.

This could potentially allow an attacker to identify a VPN user’s source IP address. For those actually relying on hiding that data to avoid attention from a repressive regime or someone seeking private information, this is not a trivial concern.

ProtonMail at the time said Apple was aware of the issue and that Cupertino was looking at mitigation options. Apple has a workaround for enterprise users with company-managed devices, an Always On VPN. But that’s not an option for consumers or others with self-managed devices.

ProtonMail revised its March 25, 2020 post every few months to note that subsequent iOS versions 13.4, 13.5, 13.6, 13.7 and 14 all left the vulnerability unfixed. The company’s last update is dated October 19, 2020.

Fixing leaks, or not

Earlier this year, Michael Horowitz, a veteran software developer and consultant, revisited the situation and found that VPNs on iOS are still vulnerable and leaking data.

“VPNs on iOS are broken,” he wrote in an August 5 update to a May 25 post titled “VPNs on iOS are a scam.” “At first, they appear to work fine. The iOS device gets a new public IP address and new DNS servers. Data is sent to the VPN server.”

“But, over time, a detailed inspection of data leaving the iOS device shows that the VPN tunnel leaks. Data leaves the iOS device outside of the VPN tunnel. This is not a classic/legacy DNS leak, it is a data leak.”

His post includes router log data that demonstrates the data leakage.

Then ten days ago, Horowitz updated his post to confirm that iOS 15.6 – Apple’s latest iOS release if you don’t could the 15.6.1 update that went out yesterday to patch two zero-day bugs – is still vulnerable.

Dead silence

The Register asked Apple to comment and the company has not responded, which is not completely expected.

Apple’s long-standing resistance to engaging with the public, the press, and security community, to respond openly to concerns, and to provide status updates about outstanding issues allows issues like this to fester – until the public clamor grows so loud it cannot be ignored. It’s the same bunker-mentality communications policy that allowed the company to formulate a CSAM scanning plan for iCloud that blew up in its face once the public got wind of the idea.

Horowitz reports emailing Apple about VPN data leakage in May when his post first went up. In July, he wrote, “Since then, there have been a number of emails between myself and the company (yes, plain old unencrypted email – no security at all). To date, roughly five weeks later, Apple has said virtually nothing to me. They have not said whether they tried to recreate the problem. They have not said whether they agree on this being a bug. They have not said anything about a fix.”

What’s more, Horowitz says that Yegor Sak, the co-founder of VPN service Windscribe, got in touch to say his company is aware of the data leak and has submitted multiple reports to Apple.

When security firm Sophos noted ProtonMail’s post back in March 2020, author John Dunn observed, “At least Apple knows about the issue.” Two and a half years on, Apple’s awareness looks indistinguishable from ignorance. ®