Return to protonvpn.com Facebook   Twitter   Reddit   Instagram   Mastodon   ProtonMail

VPN bypass vulnerability in Apple iOS

Posted on March 25th, 2020 by in Security.

UPDATE Oct. 19, 2020: Although Apple has not fixed the VPN bypass problem directly on iOS 14, they have provided the Kill Switch capability to app developers. By enabling Kill Switch, existing connections will be blocked whenever VPN is enabled. We will be adding this capability in an upcoming release of ProtonVPN.

UPDATE Sept. 16, 2020: We can confirm this bug still exists in iOS version 13.7.

UPDATE July 24, 2020: We can confirm this bug still exists in iOS version 13.6.

UPDATE June 1, 2020: Apple’s release notes for iOS version 13.5 do not mention this issue, and we have confirmed that the bug still exists in the new version.

This article reports a security vulnerability discovered in Apple’s iOS version 13.4 that prevents VPNs from encrypting all traffic. 

From time to time we may encounter vulnerabilities in third-party software, which in the future will be disclosed after 90 days in accordance with our responsible disclosure program. We are disclosing this “VPN bypass” vulnerability publicly because it’s important that our community and other VPN providers and their users are aware of this issue.

Below we explain the nature of the security flaw, how we investigated it, and what users can do to mitigate their risk until Apple fixes the vulnerability.

How the iOS VPN bypass vulnerability works

Typically, when you connect to a virtual private network (VPN), the operating system of your device closes all existing Internet connections and then re-establishes them through the VPN tunnel. 

Learn more: how VPNs work

A member of the Proton community discovered that in iOS version 13.3.1, the operating system does not close existing connections. (The issue also persists in the latest version, 13.4.) Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own. However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel. 

One prominent example is Apple’s push notification service, which maintains a long-running connection between the device and Apple’s servers. But the problem could impact any app or service, such as instant messaging applications or web beacons. 

The VPN bypass vulnerability could result in users’ data being exposed if the affected connections are not encrypted themselves (though this would be unusual nowadays). The more common problem is IP leaks. An attacker could see the users’ IP address and the IP address of the servers they’re connecting to. Additionally, the server you connect to would be able to see your true IP address rather than that of the VPN server.

Those at highest risk because of this security flaw are people in countries where surveillance and civil rights abuses are common.

Neither ProtonVPN nor any other VPN service can provide a workaround for this issue because iOS does not permit a VPN app to kill existing network connections.

Investigating the vulnerability

To investigate this issue, we used Wireshark to capture an iOS device’s network traffic. 

When you connect a device to VPN, you should only be able to see traffic between the device’s IP and the VPN server or local IP addresses (other devices on your local network). As the capture below shows, there is also direct traffic between the iOS device’s IP and an external IP address that is not the VPN server (in this case it’s an Apple server).

IOS device’s network traffic on wireshark

10.0.2.109 = iOS device’s IP address
185.159.157.8 = ProtonVPN server
17.57.146.68 = Apple-owned IP address

We’ve calculated this vulnerability’s CVSS score as medium.

How to mitigate the iOS VPN bypass vulnerability

Internet connections established after you connect to VPN are not affected. But connections that are already running when you connect to VPN may continue outside the VPN tunnel indefinitely. There is no way to guarantee that those connections will be closed at the moment you start a VPN connection. 

However, we’ve discovered the following technique to be almost as effective:

  1. Connect to any ProtonVPN server.
  2. Turn on airplane mode. This will kill all Internet connections and temporarily disconnect ProtonVPN. 
  3. Turn off airplane mode. ProtonVPN will reconnect, and your other connections should also reconnect inside the VPN tunnel, though we cannot guarantee this 100%.

Alternatively, Apple recommends using Always-on VPN to mitigate this issue. This method requires using device management, so unfortunately it doesn’t mitigate the issue for third-party applications such as ProtonVPN.

This vulnerability was first reported to us by Luis, a security consultant and member of the Proton community. We have been in contact with Apple, which has acknowledged the VPN bypass vulnerability and is looking into options to mitigate it. Until an update is available from Apple, we recommend the above workarounds.

This article was updated March 26, 2020.

We are the scientists, engineers, and developers who build ProtonMail, the world's largest encrypted email service. We're now building ProtonVPN also to ensure that everybody can have access to free and secure internet.

Post Comment

59 comments

  1. Peter Smith

    Has the vpn vulnerability been fixed in ios 14?

  2. Richie Koch

    Hi Peter,
    Although Apple has not fixed the VPN bypass problem directly, they have provided the Kill Switch capability to developers of apps on iOS 14. By enabling Kill Switch, existing connections will be blocked whenever the VPN is enabled. We will be adding this capability in an upcoming release of ProtonVPN.

  3. CL

    Has Proton been able to test IOS 14 to determine if this VPN encryption bypass bug has been fixed?

  4. Richie Koch

    Although Apple has not fixed the VPN bypass problem directly, they have provided the Kill Switch capability to developers of apps on iOS 14. By enabling Kill Switch, existing connections will be blocked whenever VPN is enabled. We will be adding this capability in an upcoming release of ProtonVPN.

  5. Ragazzo

    Does 13.7 resolve the bug?

  6. Richie Koch

    Hello,
    Unfortunately, no, the vulnerability is still present in iOS 13.7.

  7. willy

    Does 13.7 resolve the bug?

  8. wkrjr

    I noticed that the article states the problem doesn’t appear in iOS14.
    I’ve read that iOS 14 Public Beta is solidly stable which makes me lean towards downloading it.
    But, I’m concerned my ProtonVPN Beta may not be fully operationally compatible and could cause a possible even worse issue(s).

    Any suggestions?

  9. Matti

    iOS 13.6 was just released and includes the following in its release notes;
    “Provides a mechanism for administrators to specify domains to exclude from traffic carried by always-on VPN connections”

    I’m not sure what they mean by “administrators” but what’s ProtonVPN’s take on this, and will you be leveraging it it future? More importantly, has iOS 13.6 (finally) fixed that VPN bypass bug mentioned here?

  10. Ben Wolford

    Unfortunately, 13.6 does not fix the bypass issue. The item in the release notes you mentioned allows organizations to control and configure employee devices. It’s not accessible to apps like ProtonVPN.

  11. Nora

    iOS 13

  12. Kevin Nelson

    After testing with iOS 14 beta (18A5301v), it appears the issue no longer exists.

  13. Tommy

    Is it fixed in iOS 13.5.1?

  14. Roxana Zega

    Hi Tommy,

    We are not aware of any fix. We will inform users if/when we have news.

    Thanks.

  15. w

    13.5.1 Fix it?

  16. Tommy

    Is this fixed in the most recent update 13.5.1?

  17. Tommy

    Is this fixed in 13.5.1?

  18. flo

    how you know that ? @Stefan ( source please )

  19. Stefan

    Apple informed us that it is not fixed with 13.5.
    They are still working on it.

  20. Stefan

    Does 13.5 resolve the bug?

  21. Koko

    Hi, I was wondering if this bug is finally solved with the 13.5 update.

  22. Richie Koch

    Hi Koko, we’re still awaiting official word from Apple. They do not mention in their latest security update, but we are monitoring the situation. We will alert users if/when we have news.
    https://support.apple.com/en-us/HT201222

  23. CL

    Has Proton been able to test IOS 13.5 to determine if this VPN encryption bypass bug has been fixed?

  24. Richie Koch

    Unfortunately, neither iOS 13.5 nor 13.6 address this issue.

  25. Z

    Is this fixed in the iOS 13.5 update?

  26. Ben Wolford

    It did not fix this bug unfortunately.

  27. Andreas

    Any news if this is fixed on 13.5 update? Thank you

  28. Steve Reid

    Hi, has Apple fixed this bug with today’s update of iOS 13.5?

  29. Invisible

    I’m not sure I’m following the Airplane Mode suggestion. If you don’t have a data plan on your iPhone, and use WiFi exclusively, it’s easy to leave an iOS device in Airplane Mode always. I do, and WiFi works just fine.
    So the question is, if you operate solely on WiFi in Airplane Mode, how can one mitigate this problem when switching to/from ProtonVPN? Turning on Airplane Mode doesn’t really mean or do anything in this context.

  30. Ben

    Can you explain how “always on VPN mitigates this isssue” if we use always on does that mean all network connections have been killed by iOS and rerun through the VPN?

  31. daniele

    is it the same problem with ios even though it’s connected to a vpn router

  32. Daniele

    What about the 13.4.1 ?

  33. Roxana Zega

    Hi Daniele,

    Apple hasn’t confirmed the fix and it hasn’t informed us either.

    Thanks.

  34. Just another engineer

    Is it just me, is it just hindsight, or is it really that obvious: why was wireshark left in the toolbox until a customer told the VPN company that it had an issue with one of its builds? Can you tell us if wireshark is going to become part of the standard test suite?

  35. Ben

    I think this was fixed in yesterdays iOS 13.4.1 update

  36. Roxana Zega

    Hi Ben,

    Apple hasn’t confirmed the fix and it hasn’t informed us either.

    Thanks.

  37. Michael Alem

    Is the issue affecting lte cellular not to connect with ProtonVPN and if so has it been fixed on the latest iOS 13.4.1

  38. Roxana Zega

    Hi Michael,

    Apple hasn’t confirmed the fix and it hasn’t informed us either.

    Thanks.

  39. Johan

    Does 13.4.1 resolve the bug?

  40. Roxana Zega

    Hi Johan,

    Apple hasn’t confirmed the fix and it hasn’t informed us either.

    Thanks.

  41. AlexDrPol

    Thanks for your hard work to ensure our privacy.

  42. Art

    CVE?

  43. dustinf

    Thank you for this.
    Can you identify in spot of the network you captured the traffic?

  44. Advalorem

    Not fun at all.

  45. Samia

    Hello the same problem is also exist in Samsung Android with a dual Messenger feature (From Androud 8,0).
    All the dual Apps like Face and WhatsApp and Telegram are using the true IP address of the Phone in these Apps and it does not use the IP of the VPN server even when you are connected.
    Could you please investigate the issue and may have asolution for it.(ProtonVPN for Android).
    Regards

  46. nitrohorse

    Does this issue only affect IKEv2 VPN configurations (“personal VPNs”) or also OpenVPN and WireGuard VPN configurations?

  47. Richie Koch

    Hello! Unfortunately, this bug affects all VPN protocols.

  48. Aisha Visram

    Hi there, do you know if Per-App VPN (MDM would be required) mitigates this the same way Always-on VPN does? Most companies with MDM utilize Per-App VPN over Always-on VPN as this only turns on the VPN (automatically) when particular corp apps or specific safari company sites are opened (optimizes battery life and is more secure). I would think that Per-App VPN by design would mitigate this issue as it ensures that all sensitive corporate traffic is routed through the VPN tunnel. Any ideas? Thank you!

  49. Orlando Smith

    Is it time for Apple to authorize and securely enable at least trustworthy VPNs, such as ProtonVPN, to execute a kill switch in iOS? I think so, unless it has a good security reason for not doing so; a reason of commercial benefit won’t do.

    Apple may have to do this, because, other than commerical advantage, its seemingly regular appearance of VPN impairing flaws in iOS could be construed as a curiously coincidental benefit to intelligence agencies, which constantly seek to compromise major operating systems so as to conduct clandestine surveillance of individuals.

  50. Tahir Raza

    I am also facing issue in my app where i send an encrypted key, its producing an invalid key hence the app is breaking !

    Apple should look into this asap

  51. David Schwartz

    If you are at home you can turn off your phone network connection and then connect via WIFI to a ProtonVPN connected FlashRouter for VPN protection, instead of using iOS apps. The only external internet available would now be through an active VPN connection from the router.

  52. Orlando Smith

    I’ve also just yelled at Apple about this. Apple is on pace to introduce one significant VPN security flaw with every update to iOS. Smoke can be seen to come from Steve Jobs’ grave as he spins at over 50,000 RPMs.

    I think that the problem is that Apple’s engineers are trying to serve two masters. They are designing iOS to fully exploit the commercial opportunities of iTunes’ streaming, apps, etc., as they try to makes iOS secure and protective of users’ privacy. At critical junctures, those two things will be difficult to reconcile. And since Apple’s engineers will be managed for profits first, security and privacy will be at times compromised, probably inadvertently compromised but compromised nonetheless, and then Apple will fix the security and/or privacy flaw, as best as it can be fixed, after the fact.

    Really makes me consider whether I want to upgrade to Apple’s coming laptops with Apple’s own CPU/GPU that will run a derivative iOS operating system?

  53. CyberneticistB

    Thank you ProtonVPN for continuously working to protect our data and privacy. 🙂

  54. Richie Koch

    You’re very welcome. We simply cannot stand by while so many companies and organizations refuse to respect the fundamental human right to privacy.

  55. Stubbles

    Did you guys get any bounty for this?

  56. John

    Hmm does WireGuard (or even OpenVPN) on iOS have the same issue? Because don’t they have different behavior than IKEv2?

  57. Richie Koch

    This is a good question. However, this bug affects all VPN protocols.

  58. J B

    Is the vulnerability also present in iOS 13.4 that was released yesterday?

  59. Richie Koch

    Yes, the issue also persists in the latest version, 13.4. We have updated the blog post.

Leave a Reply

Your email address will not be published. Required fields are marked *

Knowledge base

 

Secure your internet

Get ProtonVPN

For customer support inquiries, please submit the following form for the fastest response:
https://protonvpn.com/support-form

For all other inquiries:
contact@protonvpn.com

You can also Tweet to us:
@ProtonVPN