Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Bug Encryption IOS Network Operating Systems Software The Internet Apple

Unpatched iOS Bug Blocks VPNs From Encrypting All Traffic (bleepingcomputer.com) 19

An anonymous reader quotes a report from Bleeping Computer: A currently unpatched security vulnerability affecting iOS 13.3.1 or later prevents virtual private network (VPNs) from encrypting all traffic and can lead to some Internet connections bypassing VPN encryption to expose users' data or leak their IP addresses. While connections made after connecting to a VPN on your iOS device are not affected by this bug, all previously established connections will remain outside the VPN's secure tunnel as ProtonVPN disclosed.

The bug is due to Apple's iOS not terminating all existing Internet connections when the user connects to a VPN and having them automatically reconnect to the destination servers after the VPN tunnel is established. "Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own," ProtonVPN explains. "However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel." During the time the connections are outside of the VPN secure communication channels, this issue can lead to serious consequences. For instance, user data could be exposed to third parties if the connections are not encrypted themselves, and IP address leaks could potentially reveal the users' location or expose them and destination servers to attacks.
Until Apple provides a fix, the company recommends using Always-on VPN to mitigate this problem. "However, since this workaround uses device management, it cannot be used to mitigate the vulnerability for third-party VPN apps such as ProtonVPN," the report adds.
This discussion has been archived. No new comments can be posted.

Unpatched iOS Bug Blocks VPNs From Encrypting All Traffic

Comments Filter:
  • by phalse phace ( 454635 ) on Thursday March 26, 2020 @07:20PM (#59875992)

    A currently unpatched security vulnerability affecting iOS 13.3.1 or later

    Does that mean that earlier versions of iOS are not affected?

    Another reason to stick with 12.4.1

  • by jmccue ( 834797 )

    So the workaround is to use "Always-on VPN", which I never heard of. Did a google and seems "Always-on VPN" is a Microsoft Product.

    So Apple says to use a Microsoft product on IOS ? Nice since I think a good deal of Apple's customers went to Apple to avoid M/S

    This shows how intertwined big commercial Tech Companies are. I have not use Apple at all and M/S in so long I barely remember DOS commands. At least for now Linux is still not dependent on those companies (excluding funding from M/S)

  • by terminal.dk ( 102718 ) on Friday March 27, 2020 @01:35AM (#59876710) Homepage

    This is not a bug, it is a feature.

    They would get angry users if turning on VPN killed all running connections, unless of course apps are designed to survive interruption and resume. And in my experience this is not the case. Too many developers just expects the API to work. Any failure is not their fault. The user should just get stable Internet.

    Maybe the VPN is split tunnel, then no reason to disconnect old. And since old connections already compromised, not reason to force them down.

    • by tlhIngan ( 30335 )

      They would get angry users if turning on VPN killed all running connections, unless of course apps are designed to survive interruption and resume. And in my experience this is not the case. Too many developers just expects the API to work. Any failure is not their fault. The user should just get stable Internet.

      Plus, some connections cannot be resumed automatically without user intervention - perhaps something requires 2FA and thus breaking the link requires the user to re-login into the service.

      The real p

  • As much as Apple cares about privacy, I can imagine there is some company resistance behind people using VPNs and the TOR browser on an iPhone. Maybe it's just advertising/marketing data they harvest. Maybe it's worse than that.
  • Suuuuure

Doubt is not a pleasant condition, but certainty is absurd. - Voltaire

Working...