Vulnerability in Apple’s iOS exposes VPN user location data
A security vulnerability in iOS 13.3.1 and later versions of Apple Inc.’s mobile operating system has been found that prevent virtual private networks from encrypting all traffic, potentially exposing user location data.
Discovered by a user of ProtonVPN and detailed Wednesday by security researchers at Proton Technologies AG, the vulnerability relates to iOS not closing existing connections.
Whether it’s a vulnerability by design is where things become interesting as the failure to close connections is said to be related to Apple’s push notification service that maintains a long-running connection. As a consequence, that long-running connection also affects any app or service, including VPNs.
The VPN bypass vulnerability is said to expose user data if the affected connections are not encrypted — they mostly are — as well as exposing IP address, the latter the more serious of the two issues. “An attacker could see the users’ IP address and the IP address of the servers they’re connecting to,” the researchers explained. “Additionally, the server you connect to would be able to see your true IP address rather than that of the VPN server.”
There’s currently no patch available for the vulnerability but there are ways for users to mitigate their exposure. Users are advised, after connecting to a VPN, to turn airplane mode on and then off, since that kills all internet connections and then reestablishes them directly.
Craig Young, computer security researcher at Tripwire Inc.’s vulnerability and exposure research team, told SiliconANGLE that the bug could be a big concern for people who rely on VPN technology for privacy.
“In this scenario, users may falsely believe their secure tunnel is shielding all personal data from nearby observers, network administrators, and remote site operators,” Young explained. “In this case, however, it is possible for data to be sent underprotected or for a real IP address to show up in remote server logs.”
Many users, he added, specifically like using a VPN for privacy while using untrusted networks such as the free Wi-Fi found in places like cafes, convention centers and airports. “On this end, Apple may have caught something of a break as COVID-19 has largely shut down most of these places iOS users are more likely to be using an untrusted network,” he said.
Employees using a VPN to access corporate network resources, as many more may be doing while working from home during the coronavirus pandemic, would be less affected, he added. “But a clever attacker may still leverage this to spoof corporate resources,” Young said. “This is an example of why it is helpful to access sites via HTTPS even when the communication should already be protected by a VPN.”
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.