An unpatched bug in iOS version 13.3.1 or later is preventing VPNs from working properly, potentially opening up users to data breaches.
The vulnerability, disclosed by ProtonVPN, does not terminate a connection when the user connects to a VPN, meaning that if kept active, unencrypted data could be transferred and possibly intercepted.
Unencrypted data can easily reveal personal details like IP address, location, or even expose users and the servers to cyber-attacks.
iOS vulnerability
“Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own,” ProtonVPN explained. “However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel.”
Connections made after the VPN tunnel is activated remain secured and while most other OS terminate the existing connections, iOS for some reason keeps the old versions alive.
Researchers at ProtonVPN cited an example of Apple’s push notifications which uses a process to communicate with Apple’s servers for a long time. This connection does not get terminated automatically and may affect any service or app on the user’s iOS device.
While this bug might not impact an average user, “people in countries where surveillance and civil rights abuses are common,” are at high risk, ProtonVPN noted.
Due to security limitations, any third-party app or VPN cannot terminate these open connections on iOS. The report also suggests that Apple has acknowledged the VPN bypass vulnerability, and until it releases a solution, it recommends customers use an always-on VPN.
People who use other VPN apps can manually kill all the active connections by enabling and disabling Airplane mode after connecting to a VPN. While this workaround may kill most of the active connections, it may not be a 100% effective solution.
- Let us help you pick the best VPN options
Via: BleepingComputer
