A vulnerability in iOS 13.3.1 and later prevents virtual private networks (VPNs) from encrypting all traffic, allowing some Internet connections to bypass encryption and potentially expose user data and IP- addresses.
Screenshot of ProtonVPN showing how it connects to Apple VPN-protected servers
Details of this vulnerability were shared today by Bleeping Computer after being discovered by ProtonVPN. The vulnerability is caused by the fact that iOS does not terminate all existing connections when a user connects to a VPN, allowing them to reconnect to the target servers after the VPN tunnel is established.
Connections made after connecting to a VPN on iOS are not affected by this error, but all previously established connections are not secure. This could potentially lead to a user who believes that he or she is protected and accidentally exposes the IP address and therefore an approximate location.
Apple push notifications are examples of processes that use connections from Apple’s servers that do not close automatically when connected to a VPN, but may affect applications or services running on the user’s device.
VPNs can’t work around this issue, because iOS doesn’t allow VPN apps to destroy existing network connections, so it should be repaired by Apple. Apple is aware of this vulnerability and is looking for ways to reduce it.
Until the fix, VPN users can connect to a VPN server, turn on Airplane mode, and then turn off Airplane mode to destroy existing connections. However, mitigation is not entirely reliable, so iPhone and iPad owners who rely on VPNs need to be careful until Apple fixes it.
. (TagsToTranslate) Apple (s) Gossip (s) Mac (s) iOS (s) iPhone (s) iPad