UPDATE August 2023: Additional vulnerabilities(new window) have been discovered in Apple’s VPN framework.

UPDATE Oct. 13, 2022: Reports indicate(new window) that Apple has not fixed the problem in iOS 16.

UPDATE Aug. 18, 2022: Recent testing has shown that while the kill switch capability Apple provided to developers with iOS 14 does in fact block additional network traffic, certain DNS queries from Apple services can still be sent from outside the VPN connection. This is similar to the situation we reported two years ago. Most of these connections are short-lived and eventually are re-established through the VPN tunnel on their own. However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel. But if you use Proton VPN while connected to public WiFi, your sensitive traffic still cannot be monitored.

We’ve raised this issue with Apple multiple times. Unfortunately, its fixes have been problematic. Apple has stated that their traffic being VPN-exempt is “expected”, and that “Always On VPN is only available on supervised devices enrolled in a mobile device management (MDM) solution”. We call on Apple to make a fully secure online experience accessible to everyone, not just those who enroll in a proprietary remote device management framework designed for enterprises.

UPDATE Oct. 19, 2020: Although Apple has not fixed the VPN bypass problem directly on iOS 14, they have provided the kill switch capability to app developers. By enabling Kill Switch, existing connections will be blocked whenever VPN is enabled. We will be adding this capability in an upcoming release of Proton VPN.

UPDATE Sept. 16, 2020: We can confirm this bug still exists in iOS version 13.7.

UPDATE July 24, 2020: We can confirm this bug still exists in iOS version 13.6.

UPDATE June 1, 2020: Apple’s release notes for iOS version 13.5 do not mention this issue, and we have confirmed that the bug still exists in the new version.

This article reports a security vulnerability discovered in Apple’s iOS version 13.4 that prevents VPNs from encrypting all traffic. 

From time to time we may encounter vulnerabilities in third-party software, which in the future will be disclosed after 90 days in accordance with our responsible disclosure program(new window). We are disclosing this “VPN bypass” vulnerability publicly because it’s important that our community and other VPN providers and their users are aware of this issue.

Below we explain the nature of the security flaw, how we investigated it, and what users can do to mitigate their risk until Apple fixes the vulnerability.

How the iOS VPN bypass vulnerability works

Typically, when you connect to a virtual private network (VPN), the operating system of your device closes all existing Internet connections and then re-establishes them through the VPN tunnel. 

Learn more: how VPNs work(new window)

A member of the Proton community discovered that in iOS version 13.3.1, the operating system does not close existing connections. (The issue also persists in the latest version, 13.4.) Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own. However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel. 

One prominent example is Apple’s push notification service, which maintains a long-running connection between the device and Apple’s servers. But the problem could impact any app or service, such as instant messaging applications or web beacons. 

The VPN bypass vulnerability could result in users’ data being exposed if the affected connections are not encrypted themselves (though this would be unusual nowadays). The more common problem is IP leaks. An attacker could see the users’ IP address and the IP address of the servers they’re connecting to. Additionally, the server you connect to would be able to see your true IP address rather than that of the VPN server.

Those at highest risk because of this security flaw are people in countries where surveillance and civil rights abuses are common.

Neither Proton VPN nor any other VPN service can provide a workaround for this issue because iOS does not permit a VPN app to kill existing network connections.

Investigating the vulnerability

To investigate this issue, we used Wireshark(new window) to capture an iOS device’s network traffic. 

When you connect a device to VPN, you should only be able to see traffic between the device’s IP and the VPN server or local IP addresses (other devices on your local network). As the capture below shows, there is also direct traffic between the iOS device’s IP and an external IP address that is not the VPN server (in this case it’s an Apple server).

IOS device’s network traffic on wireshark

10.0.2.109 = iOS device’s IP address
185.159.157.8 = Proton VPN server
17.57.146.68 = Apple-owned IP address

We’ve calculated this vulnerability’s CVSS score as medium(new window).

How to mitigate the iOS VPN bypass vulnerability

Internet connections established after you connect to VPN are not affected. But connections that are already running when you connect to VPN may continue outside the VPN tunnel indefinitely. There is no way to guarantee that those connections will be closed at the moment you start a VPN connection. 

However, we’ve discovered the following technique to be almost as effective:

  1. Connect to any Proton VPN server.
  2. Turn on airplane mode. This will kill all Internet connections and temporarily disconnect Proton VPN. 
  3. Turn off airplane mode. Proton VPN will reconnect, and your other connections should also reconnect inside the VPN tunnel, though we cannot guarantee this 100%.

Alternatively, Apple recommends using Always-on VPN(new window) to mitigate this issue. This method requires using device management(new window), so unfortunately it doesn’t mitigate the issue for third-party applications such as Proton VPN.

This vulnerability was first reported to us by Luis(new window), a security consultant(new window) and member of the Proton community. We have been in contact with Apple, which has acknowledged the VPN bypass vulnerability and is looking into options to mitigate it. Until an update is available from Apple, we recommend the above workarounds.

This article was updated March 26, 2020.

Protect your privacy and security online
Get Proton VPN free

Related articles

What is AirTag stalking?
In an era of “smart devices” that often double as spy devices, AirTags are tracking tools that are open about their function and can be vital in helping locate lost items (as anyone who has lost their car keys can attest to). However, as a recent cla
How to fix a "Your connection is not safe" error
As you surf the web using your browser, you’ll no doubt encounter websites that your browser will refuse to load, instead showing some variation of an error message, such as Your connection is not private or Warning: Potential Security Risk Ahead. 
Your search history is a window into your inner life. Anyone with access to it knows what your hobbies and interests are, your sexual orientation and preferences, the things that worry you (for example your medical concerns), your political affiliati
how to flush dns blog
  • Privacy deep dives
A DNS cache is a record of all the websites you’ve visited over a set amount of time. Simply put, your DNS cache is a list of websites you visited in the past that’s stored on your device. Your computer uses it to speed up visits to those same websit
Is Temu legit?
  • Privacy basics
Temu has become an unavoidable brand. Unknown to most up to a year ago, the online retailer exploded onto the digital scene in the United States with lavish ads and a riveting social media campaign, and has started its takeover in Europe now, too. As
We examIne whether the controversial Chinese video platform is safe to use
  • Privacy basics
In this article, we take an in-depth look at whether the wildly popular social media platform TikTok is safe to use. Several countries recently banned government officials from using TikTok, and now the US House of Representatives has passed the Pro