Vulnerability in Apple’s iOS exposes VPN user location data
A security vulnerability in iOS 13.3.1 and later versions of Apple Inc.’s mobile operating system has been found that prevent virtual private networks from encrypting all traffic, potentially exposing user location data.
Discovered by a user of ProtonVPN and detailed Wednesday by security researchers at Proton Technologies AG, the vulnerability relates to iOS not closing existing connections.
Whether it’s a vulnerability by design is where things become interesting as the failure to close connections is said to be related to Apple’s push notification service that maintains a long-running connection. As a consequence, that long-running connection also affects any app or service, including VPNs.
The VPN bypass vulnerability is said to expose user data if the affected connections are not encrypted — they mostly are — as well as exposing IP address, the latter the more serious of the two issues. “An attacker could see the users’ IP address and the IP address of the servers they’re connecting to,” the researchers explained. “Additionally, the server you connect to would be able to see your true IP address rather than that of the VPN server.”
There’s currently no patch available for the vulnerability but there are ways for users to mitigate their exposure. Users are advised, after connecting to a VPN, to turn airplane mode on and then off, since that kills all internet connections and then reestablishes them directly.
Craig Young, computer security researcher at Tripwire Inc.’s vulnerability and exposure research team, told SiliconANGLE that the bug could be a big concern for people who rely on VPN technology for privacy.
“In this scenario, users may falsely believe their secure tunnel is shielding all personal data from nearby observers, network administrators, and remote site operators,” Young explained. “In this case, however, it is possible for data to be sent underprotected or for a real IP address to show up in remote server logs.”
Many users, he added, specifically like using a VPN for privacy while using untrusted networks such as the free Wi-Fi found in places like cafes, convention centers and airports. “On this end, Apple may have caught something of a break as COVID-19 has largely shut down most of these places iOS users are more likely to be using an untrusted network,” he said.
Employees using a VPN to access corporate network resources, as many more may be doing while working from home during the coronavirus pandemic, would be less affected, he added. “But a clever attacker may still leverage this to spoof corporate resources,” Young said. “This is an example of why it is helpful to access sites via HTTPS even when the communication should already be protected by a VPN.”
A message from John Furrier, co-founder of SiliconANGLE:
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.
We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.