A vulnerability in iOS 13.3.1 and later prevents Virtual Private Networks (VPNs) from encrypting all network traffic, allowing some internet connections to bypass the VPN’s encryption, potentially exposing the user’s IP address and their data.
Information about the vulnerability was shared today by Bleeping Computer after it was discovered by ProtonVPN. It appears iOS doesn’t terminate all existing connections when a user connects to a VPN, allowing them to reconnect once the VPN’s encrypted tunnel has been established.
A VPN routes a device’s internet traffic through a secure and encrypted tunnel, preventing the online activity on the device from being detected or observed by outside parties. Normally, pre-existing connections on the device are disconnected and then reconnected inside the encrypted tunnel.
However, the bug in iOS 13.3.1 and later leave the pre-existing connections in place, meaning they are not secure and can potentially expose the users real IP address (and the associated approximate location) as well as the user’s data.
Any fix for the issue will need to be implemented by Apple, as VPN’s cannot fix the issue, as iOS doesn’t allow VPN apps to kill existing network connections. Apple is reported to be aware of the vulnerability and is looking into a fix.
As a temporary workaround, VPN users are advised to connect to a VPN server, turn on Airplane Mode, and then turn off Airplane mode to kill all existing connections.
We’ll keep you posted, and let you know when a fix is in place.