VPNs on iOS devices do not terminate sessions established before connecting to the VPN, and the vulnerability has security implications for iPhone and iPad users who assume their IP address and all their data is protected by a VPN, Horowitz said. Horowitz wrote about the flaw on his website, declaring: “VPNs on iOS are a scam.”
Details of Horowitz’s Experiment
Michael Horowitz is an independent computer consultant and blogger, self-described as having decades of experience in the computer industry. Earlier this year, he ran an experiment to check whether all data passes through a VPN tunnel once connected. To do so, Horowitz logged every outbound session from his iPad after connecting to a VPN. If the VPN were working as expected, the router would not show any new outbound requests from the iPad, he said. Although the experiment is fairly straightforward, it cannot be performed on most consumer routers as they do not have the ability to log outbound requests. Horowitz used the Peplink Balance 20x router, running firmware 8.2.0. Horowitz first tested ProtonVPN and OVPN on his iPad running iOS version 15.4.1. He also tested the same VPNs after updating to iOS version 15.6. Unfortunately, In both cases, the router detected communications with Apple IP addresses outside the VPN tunnel. “VPNs on iOS are broken,” Horowitz declared. “This is not a classic/legacy DNS leak, it is a data leak. I confirmed this using multiple types of VPN and software from multiple VPN providers.”
Proton Found VPN Bypass Vulnerability in 2020
It is important to note that this discovery is not exactly new. Proton published a public post about this vulnerability in March 2020, where it found the same flaw in devices running iOS version 13.4. According to Proton, the connections established after connecting to the VPN are secure and stay within the VPN tunnel. However, any connections that were already running are not closed, which means that some data travels outside the tunnel. Apps and services such as FaceTime, Game Center, and Apple’s push notification service maintained contact and communicated with Apple’s servers outside of VPN tunnels. “It is surprising to find this problem has persisted for so long. My testing took very little hardware, software or expertise. With the billions of iOS users, it is hard to imagine that no one else bothered testing this. Then again, the world was a bit distracted in March of 2020,” Horowitz said.
Apple’s ‘Kill Switch’ not an Effective Solution
Proton’s finding ended with some positive news as it stated that Apple had plans to address the issue. In a way, this was true, as starting from iOS 14, Apple provided app developers with the ability to install a “kill switch.” In VPN terminology, a kill switch refers to cutting off an internet connection in the event a VPN tunnel fails. On the other hand, Apple’s kill switch empowers VPN apps to block any existing sessions after connecting to the VPN. Unfortunately, both Horowitz and Proton found that some data still travels outside the VPN tunnel even when the kill switch is enabled. “The bug that ProtonVPN first wrote about in March 2020, still exists,” Horowitz said. “iOS 15.4.1 still does not terminate existing connections/sessions when it creates a VPN tunnel. This presents assorted dangers. Connections outside the VPN communicate your real public IP address and there is no guarantee that they are encrypted. They are also vulnerable to ISP spying. And, a VPN provides what should be a trustworthy DNS service. Outside the VPN, anything goes.”
Recommendations for iOS VPN Users
Unfortunately, there does not seem to be a clear-cut solution at this time. Apple recommends using Always-on VPN, which does prevent data leaks. However, this only works on enterprise device management and is not a solution for regular users. Proton said users can try out an Airplane Mode trick: However, Proton does not guarantee that this trick will work. Horowitz recommends using a VPN client on a router. He said it would be ideal to get a dedicated router for VPN connections, separate from your primary router.