AppleInsider is supported by its audience and is eligible to earn an Amazon Associate and Affiliate Partner commission on qualifying purchases. These affiliate partnerships do not influence our editorial content.
A new detailed report indicates that a long-standing bug in iOS prevents any VPN from fully encrypting all traffic – and also claims that Apple knew this and chose not to do anything since its discovery in 2020
The vulnerability was first discovered by VPN company ProtonVPN in March 2020. At the time, the company said that when a VPN is enabled, the operating system should terminate all internet connections and automatically reestablish them through the VPN to prevent unencrypted data leaks.
In iOS 13.3.1 and later, devices connecting with a VPN would not close and reopen connections. Therefore, it was possible for a user to unknowingly continue to partially use the unsecured connection they had before enabling the VPN.
“Those most at risk from this security breach are people living in countries where surveillance and civil rights abuses are common,” the company said at the time.
Today, Michael Horowitz, who describes himself as an independent IT consultant and blogger, says the vulnerability still exists. In a profusely illustrated book 7,500 word post about the problem, Horowitz has repeatedly seen significant data leaks when using VPNs on iOS.
“It takes so little time and effort to recreate this, and the problem is so constant, that if [Apple] tried at all, they should have been able to recreate it,” he wrote. ” That’s none of my business. Maybe they’re hoping that, like ProtonVPN, I’ll just move on and drop it. I do not know.”
Briefly, Horowitz looked at the data stream coming out of the iPad while different VPNs were being used.
“At first they seem to work well,” he writes. “But, over time, detailed inspection of the data leaving the iOS device shows that the VPN tunnel is leaking.”
“Data leaves the iOS device outside of the VPN tunnel,” Horowitz continues. Using a recently updated iPad and turning on a VPN, he recorded what he described as “another stream of requests…traveling outside the VPN tunnel.”
Horowitz stopped after repeatedly documenting similar issues.
“I just want to know if there is a problem, yes or no,” he said. “I’m not interested in fully defining/debugging the problem. This is for Apple.”
Horowitz’s details include his failed attempts to discuss the issue with Apple and the government’s Cybersecurity and Infrastructure Security Agency (CISA).
“At this point, I see no reason to trust a VPN on iOS,” he concludes. “My suggestion would be to establish the VPN connection using VPN client software in a router, rather than on an iOS device.”
Horowitz’s research focused on the use of third-party VPNs. It didn’t indicate if there were any usability issues Apple Private Relay. However, Apple does not consider Private Relay to have the same functionality as a full VPN.