Unpatched iOS Bug Blocks VPNs From Encrypting All Traffic (bleepingcomputer.com) 19
An anonymous reader quotes a report from Bleeping Computer: A currently unpatched security vulnerability affecting iOS 13.3.1 or later prevents virtual private network (VPNs) from encrypting all traffic and can lead to some Internet connections bypassing VPN encryption to expose users' data or leak their IP addresses. While connections made after connecting to a VPN on your iOS device are not affected by this bug, all previously established connections will remain outside the VPN's secure tunnel as ProtonVPN disclosed.
The bug is due to Apple's iOS not terminating all existing Internet connections when the user connects to a VPN and having them automatically reconnect to the destination servers after the VPN tunnel is established. "Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own," ProtonVPN explains. "However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel." During the time the connections are outside of the VPN secure communication channels, this issue can lead to serious consequences. For instance, user data could be exposed to third parties if the connections are not encrypted themselves, and IP address leaks could potentially reveal the users' location or expose them and destination servers to attacks. Until Apple provides a fix, the company recommends using Always-on VPN to mitigate this problem. "However, since this workaround uses device management, it cannot be used to mitigate the vulnerability for third-party VPN apps such as ProtonVPN," the report adds.
The bug is due to Apple's iOS not terminating all existing Internet connections when the user connects to a VPN and having them automatically reconnect to the destination servers after the VPN tunnel is established. "Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own," ProtonVPN explains. "However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel." During the time the connections are outside of the VPN secure communication channels, this issue can lead to serious consequences. For instance, user data could be exposed to third parties if the connections are not encrypted themselves, and IP address leaks could potentially reveal the users' location or expose them and destination servers to attacks. Until Apple provides a fix, the company recommends using Always-on VPN to mitigate this problem. "However, since this workaround uses device management, it cannot be used to mitigate the vulnerability for third-party VPN apps such as ProtonVPN," the report adds.
Earlier iOS versions not affected? (Score:4, Interesting)
A currently unpatched security vulnerability affecting iOS 13.3.1 or later
Does that mean that earlier versions of iOS are not affected?
Another reason to stick with 12.4.1
Re: (Score:2)
Why v12.4.1 and not v12.4.6 that just came out a few days ago? :P
Re: (Score:1)
Re: (Score:2)
> Welcome back to PRISM.
Remember their VERY-carefully-weasel-worded non-denial denial:
Apple: "We have never heard of PRISM. We do not provide any government agency with direct access to our servers, and any government agency requesting customer data must get a court order."[114]
In response to being asked what they knew about the NSA tapping their inter-data-center fiber links and network gear.
Mmmhmm. Let's see the source code.
Re: (Score:1)
Collection was working just fine for them again.
Re: Not a bug (Score:2)
It is indeed the behavior of most systems that open connections remain open, I see the behavior on Mac, Windows and Linux. Open up a video conferencing app and then connect to VPN - it works, open up VPN first, then connect to a conference - freezes and lags out.
Some VPN software uses firewall or routing rules to change that behavior (AnyConnect has the capacity through a profile) but established and related traffic typically continues using the same interfaces they used before.
It may be unwanted behavior f
Re: Not a bug (Score:2)
And surely it depends on the configuration you want? Our company (thankfully) doesnâ(TM)t route all internet traffic over the VPN. In this situation you donâ(TM)t want nor need connections to be terminated and restarted.
I did work at a company that forced everything over the tunnel. People loved it because it enabled them to bypass geo-restrictions and access TV content from other countries! Not exactly helpful to the business though.
So (Score:1)
So the workaround is to use "Always-on VPN", which I never heard of. Did a google and seems "Always-on VPN" is a Microsoft Product.
So Apple says to use a Microsoft product on IOS ? Nice since I think a good deal of Apple's customers went to Apple to avoid M/S
This shows how intertwined big commercial Tech Companies are. I have not use Apple at all and M/S in so long I barely remember DOS commands. At least for now Linux is still not dependent on those companies (excluding funding from M/S)
Re: So (Score:5, Informative)
Re: (Score:2)
Not a bug. Opposite would be. (Score:3, Insightful)
This is not a bug, it is a feature.
They would get angry users if turning on VPN killed all running connections, unless of course apps are designed to survive interruption and resume. And in my experience this is not the case. Too many developers just expects the API to work. Any failure is not their fault. The user should just get stable Internet.
Maybe the VPN is split tunnel, then no reason to disconnect old. And since old connections already compromised, not reason to force them down.
Re: (Score:2)
Plus, some connections cannot be resumed automatically without user intervention - perhaps something requires 2FA and thus breaking the link requires the user to re-login into the service.
The real p
That's a Feature (Score:2)
"Bug" (Score:1)