"VPNs on iOS are broken," this security researchers said, and also "a scam."
Apple has long touted as a privacy-concerned company with various privacy-focused products and approaches. But Apple is just like any other companies out there, in which it can have flaws that it failed to spot early on.
In this case, it failed to fully route all network traffics to pass through VPNs.
Michael Horowitz, a longtime computer security blogger and researcher, explained in a blog post that, any third-party VPN seems to work at first, giving the device a new IP address, DNS servers, and a tunnel for new traffic.
The thing is, sessions and connections established before the VPN is activated do not terminate.
According to Horowitz who concluded this after using advanced router logging, iOS can still send data outside the VPN tunnel while it's active.
"This is not a classic/legacy DNS leak, it is a data leak. I confirmed this using multiple types of VPN and software from multiple VPN providers," said Horowitz.
When using a VPN, users should expect the VPN client to kill existing connections before establishing a secure connection through the VPN tunnel.
In other words, connection must be re-established, not commenced.
But according to Horowitz, iOS doesn't really kill existing connection before connecting to a VPN tunnel.
As a result, many of users' existing connections will eventually end up inside the VPN tunnel. Some connections like Apple's push notification service, can even last for hours.
This issue can definitely leak users original network connection.
"Data leaves the iOS device outside of the VPN tunnel," explained Horowitz. "This is not a classic/legacy DNS leak, it is a data leak. I confirmed this using multiple types of VPN and software from multiple VPN providers. The latest version of iOS that I tested with is 15.6."
If iOS users use a VPN to browse anonymously, the issue simply mitigates the use of a VPN in the first place.
According to Horowitz, Apple has known about this issue for years.
In line with what privacy company Proton first reported it, the iOS VPN bypass vulnerability was found since at iOS 13.3.1.
According to Proton VPN, when users connect to a PN, they should only be able to see traffic between the device’s IP and the VPN server or local IP addresses (other devices on their local network).
However, iOS also directs traffic between the iOS device's IP and an external IP address that is not the VPN server.
In this case, it's an Apple server.
In the blog post, Proton VPN explained that 10.0.2.109 is used by iOS device’s IP address, whereas 185.159.157.8 is Proton VPN server, and 17.57.146.68 is Apple-owned IP address.
Privacy leaks due to the way tunnel and non-tunneled connections work.
In a non-tunneled connection, the time when users don't use VPN, persisting connections may not be encrypted, and that IP address of users, and whatever they're connected to, can be seen by Internet Service Providers (ISPs) and other parties.
When a VPN is activated, VPN clients on iOS that cannot fully terminate existing connection, will allow some remaining connection to pass outside of it.
For most VPN users who use the service to just be in other part of the world and unlock some websites, this may not be a big issue.
But for high-profile figures, including journalists and activists, this is concerning.
"Those at highest risk because of this security flaw are people in countries where surveillance and civil rights abuses are common," Proton VPN wrote at the time.
It's worth noting though, that Horowitz's post doesn't offer specifics on how iOS might fix the issue. He also doesn't address VPNs that offer "split tunneling," focusing instead on the promise of a VPN capturing all network traffic.
For his part, Horowitz recommends a $130 dedicated VPN router as a truly secure VPN solution.
In October 2022, it was discovered that users of iOS16 are still leaking data out of the intended VPN tunnel.