A vulnerability in iOS 13.3.1 and later prevents virtual private networks (VPNs) from encrypting all network traffic claims ProtonVPN, which discovered the flaw.
This vulnerability allows an internet connection to bypass VPN encryption, potentially exposing user data and sharing the user’s IP address.
When a VPN connection is established, iOS should close all network connections, connect to the VPN and restart network processes using the VPN encryption. Because of a glitch in iOS 13.3.1 or later, that is not what happens.
Instead of ending all network connections and restarting them with encryption, iOS keeps all previously existing network connections open. This allows the open network connections to bypass the VPN encryption.
Only the network connections established after the VPN are encrypted.
These unsecured connections can expose user data and their IP addresses, both of which could be used to identify and locate the user.
It also could expose destination servers, possibly opening them to attack. “Those at highest risk because of this security flaw are people in countries where surveillance and civil rights abuses are common,” says ProtonVPN.
Most of these unencrypted connections will end and re-connect through the VPN, but some connections will persist and continue to communicate outside of the VPN for hours at a time.
Apple’s push notification system is an example of a process that is not closed automatically when a VPN connection is initiated, says ProtonVPN.
VPN apps are powerless to do anything about this glitch because Apple does not allow a VPN app to kill any existing network connections. Instead, VPN users will have to manually terminate all network connections by turning on Airplane Mode and then turning it off after connecting to a VPN.
By toggling Airplane Mode on/off, the user force closes all network processes and then restarts them inside the encrypted tunnel of the VPN.
Because this is a flaw in iOS, users will have to wait for Apple to issue a patch. The company allegedly knows about the issue and is considering ways of fixing it.