iOS VPNs Are Broken
Third-party VPNs made for iPhones and iPads routinely fail to route all network traffic through a secure tunnel after they have been turned on, something Apple has known about for years, a longtime security researcher has claimed (via ArsTechnica).
Writing on a continually updated blog post, Michael Horowitz says that after testing multiple types of virtual private network (VPN) software on iOS devices, most appear to work fine at first, issuing the device a new public IP address and new DNS servers, and sending data to the VPN server. However, over time the VPN tunnel leaks data.
Both Proton and Horowitz say that toggling Airplane Mode does not work around the problem.
It also seems that Apple has a level of trust that they do not deserve. Back in March 2020, Steve Gibson said “… Apple’s going to fix this. I’m sure it’s already been fixed in-house. They’re probably moments away from pushing out a fix to this because it’s gotten a lot of attention in the industry … I imagine within a few days this’ll be fixed.” A slightly more skeptical John Dunn of Sophos wrote at the time that “A patch might not appear for weeks”. It has been over two years.
I emailed Apple at their special email address for reporting security issues on May 19, 2022 and, for a week, there was no response. On May 26th, I emailed again and, this time, Apple responded the next day.
[…]
To date, roughly five weeks later, Apple has said virtually nothing to me. They have not said whether they tried to re-create the problem. They have not said whether they agree on this being a bug. They have not said anything about a fix.
Still no response or fix for the Mail bug I and others reported nearly 3 years ago, where moving messages between mailboxes instead deletes them, even though it was widely reported.
Previously:
- CMA on WebKit Security Bugs
- The Time to Fix Web Security Bugs
- iOS Vulnerabilities Either Unfixed or Uncredited
- Security Researchers Unhappy With Apple’s Bug Bounty Program
Update (2022-10-11): Ben Lovejoy:
Proton told me that it was aware of the claimed fix, and had tested it at the time. However, the company found that it was only partially effective. Insecure connections to some Apple services remain in place after a VPN is activated.
[…]
Amplifi responded to a customer query by saying that it had tested the fix, and found it caused reliability problems.
[…]
Horowitz additionally pointed out that even iOS doesn’t seem to know whether or not a VPN service is active.
See also: ArsTechnica (via Hacker News).
Update (2022-10-14): Mysk (via doekezanstra):
We confirm that iOS 16 does communicate with Apple services outside an active VPN tunnel. Worse, it leaks DNS requests. #Apple services that escape the VPN connection include Health, Maps, Wallet.
Update (2023-07-26): Mysk:
OS 16.5.1 still bypasses the VPN. New tests show that Apple Push Notification traffic completely ignores the VPN connection. Apple Maps sends many requests outside the VPN, including unencrypted DNS requests. This also happens in the Lockdown Mode. 🎬
4 Comments RSS · Twitter
What's that about layer 2 tunneling diapering from MacOS?
@Kristoffer See e.g. this.
Thanks 👍
Yeah, known issue. Has been for years. Worse, there's no support for layer 2 tunnelling, a limitation that will soon be coming to a Mac near you as well just as soon as kexts are killed off (unless Apple provides something official, of course).