UPDATED 23:34 EST / MARCH 26 2020

SECURITY

Vulnerability in Apple’s iOS exposes VPN user location data

A security vulnerability in iOS 13.3.1 and later versions of Apple Inc.’s mobile operating system has been found that prevent virtual private networks from encrypting all traffic, potentially exposing user location data.

Discovered by a user of ProtonVPN and detailed Wednesday by security researchers at Proton Technologies AG, the vulnerability relates to iOS not closing existing connections.

Whether it’s a vulnerability by design is where things become interesting as the failure to close connections is said to be related to Apple’s push notification service that maintains a long-running connection. As a consequence, that long-running connection also affects any app or service, including VPNs.

The VPN bypass vulnerability is said to expose user data if the affected connections are not encrypted — they mostly are — as well as exposing IP address, the latter the more serious of the two issues. “An attacker could see the users’ IP address and the IP address of the servers they’re connecting to,” the researchers explained. “Additionally, the server you connect to would be able to see your true IP address rather than that of the VPN server.”

There’s currently no patch available for the vulnerability but there are ways for users to mitigate their exposure. Users are advised, after connecting to a VPN, to turn airplane mode on and then off, since that kills all internet connections and then reestablishes them directly.

Craig Young, computer security researcher at Tripwire Inc.’s vulnerability and exposure research team, told SiliconANGLE that the bug could be a big concern for people who rely on VPN technology for privacy.

“In this scenario, users may falsely believe their secure tunnel is shielding all personal data from nearby observers, network administrators, and remote site operators,” Young explained. “In this case, however, it is possible for data to be sent underprotected or for a real IP address to show up in remote server logs.”

Many users, he added, specifically like using a VPN for privacy while using untrusted networks such as the free Wi-Fi found in places like cafes, convention centers and airports. “On this end, Apple may have caught something of a break as COVID-19 has largely shut down most of these places iOS users are more likely to be using an untrusted network,” he said.

Employees using a VPN to access corporate network resources, as many more may be doing while working from home during the coronavirus pandemic, would be less affected, he added. “But a clever attacker may still leverage this to spoof corporate resources,” Young said. “This is an example of why it is helpful to access sites via HTTPS even when the communication should already be protected by a VPN.”

Photo: Pxfuel

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU