iOS Still Has Unpatched VPN-Related Issue 2 Years After Disclosure; iPhone Users' Data at Risk: Researcher

Photo Credit: Justin Sullivan/ Getty Images North America/ AFP

A researcher has claimed that VPNs on iOS are leaking user data due to an issue that was privately disclosed to Apple nearly 2 years ago. According to the issue, the unpatched security vulnerability does not allow iOS handsets to fully route all network traffic through VPN apps as expected and leaves some data outside the device's VPN tunnel. The flaw was first disclosed by ProtonVPN on Apple in 2020, however, the researcher said the Cupertino-based company has not yet addressed the vulnerability.

Researcher Michael Horowitz claimed in a blog post that VPN apps on iOS seem to work fine at first, meaning "the iOS device gets a new public IP address and a new DNS server" as it should. The data is sent to the VPN server, but the researcher says that a detailed examination of the data coming from the iOS device shows that the VPN tunnel is leaking. "Data leaves the iOS device outside the VPN tunnel. This is not a classic/legacy DNS leak, this is a data leak," Horowitz added.

VPN is used to encrypt traffic. Once enabled, it will give the device a new IP address, DNS servers, and a tunnel for new traffic by shutting down existing Internet connections as well as re-establishing them through the VPN tunnel. However, a bug in iOS prevents the operating system from hiding all existing Internet connections and/or "leaking" data outside the VPN tunnel, which poses some major security concerns.

To better understand, consider a movie-like scenario in which you are driving a red car and someone can follow you on a helicopter and track you. When you enter a tunnel, the helicopter can't see you from above and you come out driving a white car that acts as a cloak for your identity. But if there's a flaw in the cloak that removes the information, it could allow trackers to identify it as you. Apple has yet to issue a response to the matter, and we've reached out for comment.

The researcher also claims that he verified this data leak using multiple types of VPNs and software from multiple VPN providers. He tested it on the latest version of iOS (iOS 15.6). The issue was first reported publicly by ProtonVPN in 2020 and iPhone models at the time were running iOS v13. According to a report, Apple is yet to fully address the issue and provide a solution.

Ars Technica quoted Andy Yen, founder and CEO of Proton, as saying, "The fact that this is still a problem is disappointing to say the least. We first reported this problem to Apple two years ago privately. Apple refused to fix this problem, which is why we disclosed the public safety risk. The security of millions of people is in Apple's hands, they are the only ones who can do this. can fix the problem, but given the lack of action over the past two years, we're not very optimistic that Apple will do the right thing.