Do you use a VPN on your iPhone or iPad? Your devices may have been leaking data all along

Many people use virtual private networks (VPNs) to increase the privacy and security of their Internet browsing, as well as to access content outside of their region. For most people, this means you get a completely secure connection with no ability for corporations or governments to spy on you – but that’s apparently not the case for iOS users.

The issue, uncovered by security researcher Michael Horowitz, is this – typically, when a VPN connection (officially known as a “tunnel”) is made, all existing connections are terminated and reestablished inside this tunnel. But Horowitz says this doesn’t happen with iOS devices, such as an iPhone or iPad.

While most data does pass through the tunnel, connections made before the formation of the tunnel are still active and can (and do) transmit their own data. As Horowitz wrote, this presents a slew of problems – connections outside your VPN communicate your real IP address and are vulnerable to ISP spying. There’s also no guarantee that they are encrypted or if they provide a trustworthy DNS service.

Michael Horowitz’s router log showing two connections outside his VPN

Now, this may not seem like such a big issue if you’re only using VPNs to access Netflix content from other countries. But for the people who rely on them for work or personal safety – especially in places where surveillance and civil rights abuses are common – this flaw poses a real security risk and could literally mean the difference between life and death.

This exploit, believe it or not, isn’t new – back in 2020, VPN provider ProtonVPN had already reported the problem in its blog, saying that it goes back at least to iOS 13.3.1. More worryingly, it seems that Apple doesn’t consider this a bug, telling Horowitz that “the behaviour you are seeing is expected.” It’s no wonder, then, that months after he uncovered the vulnerability back in May, Cupertino has not moved to patch it as of the latest 15.6.1 update.

Even worse, the connections made outside of VPN tunnels are feeding data back to Apple’s own servers, including its push notification system and its own DNS service. That’s a further ding on a company that has made privacy and security its calling card, time and time again telling users it doesn’t track their movements, purchases or messages. Horowitz reported that during his testing, his iPad was even connected to Facebook, despite not having Facebook or Instagram installed.

Horowitz’s log of his iPad’s data transfers outside the VPN tunnel

Apple, for its part, points out that it added a “kill switch” starting in iOS 14, which supposedly routes all traffic through the VPN. Unfortunately, ProtonVPN wrote that while the functionality has blocked additional network traffic, “certain DNS queries from Apple services can still be sent from outside the VPN connection.” Horowitz says the system is also very buggy, discouraging most VPN providers from incorporating it into their services.

So, if you need to rely on your Internet connection to be secure, what can you do? Not much, really. ProtonVPN did suggest turning Airplane Mode on and off while the VPN was on to force connections outside the tunnel to be terminated. However, Horowitz said that this work around, which the company itself said cannot be guaranteed to be 100% effective, was causing issues with ProtonVPN’s own always-on function, negating its usability.

Horowitz himself suggested that you could use VPN client software on the router level, rather than on an iOS device, recommending a dedicated VPN router for this purpose. It’s a shame, however, that people would need to purchase another piece of hardware just to get a secure Internet connection – and it’s definitely not a good look on Apple.

Also, if you’re going to purchase a VPN subscription, do make sure it’s from the official website. There are fake websites selling VPN services through Facebook ads that could put your personal data at risk.

[ SOURCE, 2, 3 ]

Recent Posts

Malaysia Airlines’ new A330neo grounded temporarily due to production issues

Malaysia Airlines has temporarily grounded its brand new Airbus A330neo after completing four commercial flights.…

9 hours ago

Proton e.MAS 7: Here’s how much it cost to maintain this EV

Pro-Net recently revealed that you only need to service the new Proton e.MAS 7 EV…

2 days ago

Proton e.MAS 7: How much does it cost to replace the tyres?

The Proton e.MAS 7 is one of the most value for money SUVs at the…

2 days ago

Samsung to launch its new AI-powered home appliances with improved ecosystem integration at CES 2025

Samsung has announced that it will be holding its press conference titled "AI for All:…

2 days ago

SoyaCincau Awards 2024: The Best Phones of the Year

Modern smartphones are very capable computing devices, thanks to powerful hardware trickling down the price…

2 days ago

CelcomDigi offers 5G Home WiFi at RM69/month for Postpaid customers

If you're a CelcomDigi Postpaid 5G customer and can't get fibre broadband for your home,…

2 days ago

This website uses cookies.