iOS Vulnerability Prevents VPNs From Encrypting All Traffic - MacRumors
Skip to Content

iOS Vulnerability Prevents VPNs From Encrypting All Traffic

by

A vulnerability affecting iOS 13.3.1 and later prevents virtual private networks (VPNs) from encrypting all traffic, allowing some internet connections to bypass encryption, potentially exposing users' data and IP addresses.

ios device network ip wireshark

A screenshot from ProtonVPN demonstrating exposed connections to Apple's servers that should be protected by the VPN

Details on the vulnerability were shared today by Bleeping Computer after it was discovered by ProtonVPN. The vulnerability is caused because iOS isn't terminating all existing connections when a user connects to a VPN, allowing them to reconnect to destination servers once the VPN tunnel has been established.

Connections made after connecting to a VPN on an iOS are not affected by this bug, but all previously established connections are not secure. This could potentially lead to a user who believes they are protected accidentally exposing IP an address and therefore, an approximate location.

Apple's Push Notifications are cited as an example of a process using connections on Apple's servers that aren't closed automatically when connecting to a VPN, but it can affect any app or service running on a user's device.

VPNs cannot work around the issue because iOS does not allow VPN apps to kill existing network connections, so this is a fix that will need to be implemented by Apple. Apple is aware of the vulnerability and is looking into options to mitigate it.

Until fixed, VPN users can connect to a VPN server, turn on Airplane Mode and then turn off Airplane Mode to kill all existing connections. The mitigation isn't entirely reliable, however, so iPhone and iPad owners who rely on VPNs should be careful until Apple puts out a fix.

Popular Stories

iPhone 18 Pro Deep Red Feature

iPhone 18 Pro Launching Later This Year With These 12 New Features

Wednesday March 18, 2026 7:39 am PDT by
While the iPhone 18 Pro and iPhone 18 Pro Max are not expected to launch for another six months or so, there are already plenty of rumors about the devices. It was initially reported that the iPhone 18 Pro models would have fully under-screen Face ID, with only a front camera visible in the top-left corner of the screen. However, the latest rumors indicate that only one Face ID component...
Read Full Article78 comments
ios 26 4 yellow

Here Are Apple's Release Notes for iOS 26.4

Wednesday March 18, 2026 11:56 am PDT by
Apple provided developers and public beta testers with the release candidate versions of iOS 26.4 and iPadOS 26.4, which means we're going to see a public launch as soon as next week. The RC versions of the software include Apple's official release notes, giving us final details on what's included in the update. Apple Music - Playlist Playground (beta) generates a playlist from your...
Read Full Article102 comments
Apple Logo Sketch Feature

Apple Has Now Unveiled Eight New Products This Month

Tuesday March 17, 2026 9:25 am PDT by
Apple has unveiled a whopping eight new products so far this March, including an iPhone 17e, iPad Air models with the M4 chip, MacBook Air models with the M5 chip, MacBook Pro models with M5 Pro and M5 Max chips, the all-new MacBook Neo, an updated Studio Display, a higher-end Studio Display XDR, and now the AirPods Max 2 this week. iPhone 17e features the same overall design as the iPhone...
Read Full Article

Top Rated Comments

Will Tisdale 🎗 Avatar
Will Tisdale 🎗
78 months ago

This is 100% fake and not a bug. All VPNs, such as those on the desktop, do this by default unless specifically configured, as to not interrupt ongoing downloads, or worse, cause UDP-based services to silently fail.
I don’t think so.
iOS used to handle this correctly, then stopped.
Not tearing down existing connections completely undermines the point of a VPN.
Score: 11 Votes (Like | Disagree)
Will Tisdale 🎗 Avatar
Will Tisdale 🎗
78 months ago

Nope. I have two full tunnels on two different clients (Cisco Anyconnect, and Pulse Secure)
Well, I can tell you that Anyconnect will tear down any active connections, assuming it’s configured correctly. My work VPN certainly does.

TCP is designed to retry after being torn down. It’s no biggie.

The fact is, this is an iOS bug, which was introduced recently.
Score: 5 Votes (Like | Disagree)
Will Tisdale 🎗 Avatar
Will Tisdale 🎗
78 months ago

I feel like we need more info here.

As others have said, it would be problematic to silently kill existing connections when connecting to a VPN. That's certainly not the behavior I would expect. I suppose it depends on whether you use a VPN to add certain networks (such as your corporate office), or to globally route all your traffic (such as for privacy reasons). In the former case, I don't want my non-office connections to be reset.

If MacRumors is reporting this right and VPN apps cannot reset connections, that makes me wonder what changed here. Did iOS previously indeed terminate any open socket when connecting?
I feel that people need to learn about the expected behaviour of VPNs before commenting.
There’s actually two types on iOS. Split vpn and full tunnel. Split allows some stuff to be routed elsewhere. Full tunnel tunnels everything.
Score: 3 Votes (Like | Disagree)
Westside guy Avatar
Westside guy
78 months ago
I’m sometimes stunned by the upvotes people get for posting incorrect information.

If a VPN is configured to send all network traffic through the VPN when it’s running - which is typically what‘s done - then all traffic should be routing through it from the moment it’s enabled. Not just connections to new end points established afterward - all traffic.

Even if a VPN is configured to just carry traffic to a few specific end points (such as the OpenVPN tunnel to our servers, which I’m relying on heavily right now due to the stay at home order currently in place here in Washington): if you’re already connected to one of those end points before establishing the tunnel, you would expect all further traffic to go through the tunnel. The idea that you wouldn’t is ludicrous.
Score: 3 Votes (Like | Disagree)
K
konqerror
78 months ago
This is 100% fake and not a bug. All VPNs, such as those on the desktop, do this by default unless specifically configured, as to not interrupt ongoing downloads, or worse, cause UDP-based services to silently fail. Windows built-in VPN client has this exact same behavior.
Score: 3 Votes (Like | Disagree)
gnasher729 Avatar
gnasher729
77 months ago

This is 100% fake and not a bug. All VPNs, such as those on the desktop, do this by default unless specifically configured, as to not interrupt ongoing downloads, or worse, cause UDP-based services to silently fail. Windows built-in VPN client has this exact same behavior.
Could we clean up on the use of the word "fake". It's not fake. It may be irrelevant. If you think it's irrelevant, say it's irrelevant. The whole of your post states clearly that it is not fake. And downvoting someone for daring to correct your incorrect use of language is very bad style.


Oops... Has iOS gotten too complicated, or is it just lazy programmers?
Neither. If you have a connection _before_ VPN is turned on, then changing that connection to use VPN will break it. Users will not be happy. Most applications are not clever enough to switch to another connection when VPN is turned on (most are not aware of VPN at all).

Everything you did before you turned on VPN is unprotected obviously. Nobody complains. Everything you start after you turn on VPN is protected. The few connections that you started before you started VPN have been unprotected all the time, and the stay unprotected. Like you make a phone call. If you turn on VPN halfway through the call, the first half is unprotected anyway. The second half of the call _works_. You just need to know that you can't protect the second half of a call with VPN. The whole call, or nothing.


Oops... Has iOS gotten too complicated, or is it just lazy programmers?
Neither. If you have a connection _before_ VPN is turned on, then changing that connection to use VPN will break it. Users will not be happy. Most applications are not clever enough to switch to another connection when VPN is turned on (most are not aware of VPN at all).

Everything you did before you turned on VPN is unprotected obviously. Nobody complains. Everything you start after you turn on VPN is protected. The few connections that you started before you started VPN have been unprotected all the time, and the stay unprotected. Like you make a phone call. If you turn on VPN halfway through the call, the first half is unprotected anyway. The second half of the call _works_. You just need to know that you can't protect the second half of a call with VPN. The whole call, or nothing.
Score: 2 Votes (Like | Disagree)
Read All Comments