Thursday, August 18, 2022 [Tweets] [Favorites]

iOS VPNs Are Broken

Tim Hardwick (Hacker News):

Third-party VPNs made for iPhones and iPads routinely fail to route all network traffic through a secure tunnel after they have been turned on, something Apple has known about for years, a longtime security researcher has claimed (via ArsTechnica).

Writing on a continually updated blog post, Michael Horowitz says that after testing multiple types of virtual private network (VPN) software on iOS devices, most appear to work fine at first, issuing the device a new public IP address and new DNS servers, and sending data to the VPN server. However, over time the VPN tunnel leaks data.

Both Proton and Horowitz say that toggling Airplane Mode does not work around the problem.

Michael Horowitz:

It also seems that Apple has a level of trust that they do not deserve. Back in March 2020, Steve Gibson said “… Apple’s going to fix this. I’m sure it’s already been fixed in-house. They’re probably moments away from pushing out a fix to this because it’s gotten a lot of attention in the industry … I imagine within a few days this’ll be fixed.” A slightly more skeptical John Dunn of Sophos wrote at the time that “A patch might not appear for weeks”. It has been over two years.

I emailed Apple at their special email address for reporting security issues on May 19, 2022 and, for a week, there was no response. On May 26th, I emailed again and, this time, Apple responded the next day.

[…]

To date, roughly five weeks later, Apple has said virtually nothing to me. They have not said whether they tried to re-create the problem. They have not said whether they agree on this being a bug. They have not said anything about a fix.

Still no response or fix for the Mail bug I and others reported nearly 3 years ago, where moving messages between mailboxes instead deletes them, even though it was widely reported.

Previously:

4 Comments

Yeah, known issue. Has been for years. Worse, there's no support for layer 2 tunnelling, a limitation that will soon be coming to a Mac near you as well just as soon as kexts are killed off (unless Apple provides something official, of course).

What's that about layer 2 tunneling diapering from MacOS?

@Kristoffer See e.g. this.

Thanks 👍

Stay up-to-date by subscribing to the Comments RSS Feed for this post.

Leave a Comment