An unpatched iOS 13 bug is preventing VPNs from encrypting all traffic. This is causing some internet connections to bypass VPN encryption, thus, exposing data or leak their IP addresses, reports Proton VPN.
Last year, we discovered a vulnerability in iOS that causes connections to bypass VPN encryption. This is a bug in iOS that impacts all VPNs. We have informed Apple, and we are now sharing details so you can stay safe. https://t.co/78v3Brispm
— ProtonVPN (@ProtonVPN) March 25, 2020
iOS VPN bypass vulnerability
Even though the connections established after connecting to a VPN on your iOS device are not affected by this bug, all the previously made connections are affected by it. The iOS 13 bug causes the previously established connection to remain outside the VPN’s secure tunnel, says ProtonVPN.
The bug emerged because Apple’s iOS fails to close all existing internet connections when the user connects to a VPN. Usually, when you open a VPN, the operating system ends all the previous connections and automatically reconnects to the original destination servers after the VPN tunnel is established. This process is currently not taking place in iOS 13.3.1 and later versions, and is thus, affected by the bug.
ProtonVPN says that most connections are short-lived, so they will eventually be re-established through the VPN tunnel on their own. However, some of these connections are long-lasting, which can end up exposed for minutes to hours outside the VPN tunnel.
Such unencrypted connections can potentially reveal a user’s location, IP address, or expose them and the servers they’re communicating with to attacks.
Even though these risks are not too damaging for the average user, but those who rely on VPNs for sensitive work are quite vulnerable to the dire consequences.
Apple is aware of the issue, and it is currently working to fix it. But we will have to wait until Apple releases a patch for this bug. Meanwhile here’s a temporary fix for this iOS VPN bypass vulnerability:
A temporary solution
Apple recommends using the Always-on VPN to fix this problem, but this feature won’t work for those who use third-party VPN apps.
Until Apple issues a patch for this bug, ProtonVPN advises enabling and disabling Airplane Mode to manually kill the previous connections after connecting to a VPN. Keep in mind that this method isn’t 100% effective, but it’s worth a try.