iOS Vulnerability Prevents VPNs From Encrypting All Traffic

A vulnerability affecting iOS 13.3.1 and later prevents virtual private networks (VPNs) from encrypting all traffic, allowing some internet connections to bypass encryption, potentially exposing users' data and IP addresses.

ios device network ip wireshark

A screenshot from ProtonVPN demonstrating exposed connections to Apple's servers that should be protected by the VPN

Details on the vulnerability were shared today by Bleeping Computer after it was discovered by ProtonVPN. The vulnerability is caused because iOS isn't terminating all existing connections when a user connects to a VPN, allowing them to reconnect to destination servers once the VPN tunnel has been established.

Connections made after connecting to a VPN on an iOS are not affected by this bug, but all previously established connections are not secure. This could potentially lead to a user who believes they are protected accidentally exposing IP an address and therefore, an approximate location.

Apple's Push Notifications are cited as an example of a process using connections on Apple's servers that aren't closed automatically when connecting to a VPN, but it can affect any app or service running on a user's device.

VPNs cannot work around the issue because iOS does not allow VPN apps to kill existing network connections, so this is a fix that will need to be implemented by Apple. Apple is aware of the vulnerability and is looking into options to mitigate it.

Until fixed, VPN users can connect to a VPN server, turn on Airplane Mode and then turn off Airplane Mode to kill all existing connections. The mitigation isn't entirely reliable, however, so iPhone and iPad owners who rely on VPNs should be careful until Apple puts out a fix.

Top Rated Comments

Will Tisdale ? Avatar
21 months ago

This is 100% fake and not a bug. All VPNs, such as those on the desktop, do this by default unless specifically configured, as to not interrupt ongoing downloads, or worse, cause UDP-based services to silently fail.
I don’t think so.
iOS used to handle this correctly, then stopped.
Not tearing down existing connections completely undermines the point of a VPN.
Score: 11 Votes (Like | Disagree)
Will Tisdale ? Avatar
21 months ago

Nope. I have two full tunnels on two different clients (Cisco Anyconnect, and Pulse Secure)
Well, I can tell you that Anyconnect will tear down any active connections, assuming it’s configured correctly. My work VPN certainly does.

TCP is designed to retry after being torn down. It’s no biggie.

The fact is, this is an iOS bug, which was introduced recently.
Score: 5 Votes (Like | Disagree)
konqerror Avatar
21 months ago
This is 100% fake and not a bug. All VPNs, such as those on the desktop, do this by default unless specifically configured, as to not interrupt ongoing downloads, or worse, cause UDP-based services to silently fail. Windows built-in VPN client has this exact same behavior.
Score: 3 Votes (Like | Disagree)
Westside guy Avatar
21 months ago
I’m sometimes stunned by the upvotes people get for posting incorrect information.

If a VPN is configured to send all network traffic through the VPN when it’s running - which is typically what‘s done - then all traffic should be routing through it from the moment it’s enabled. Not just connections to new end points established afterward - all traffic.

Even if a VPN is configured to just carry traffic to a few specific end points (such as the OpenVPN tunnel to our servers, which I’m relying on heavily right now due to the stay at home order currently in place here in Washington): if you’re already connected to one of those end points before establishing the tunnel, you would expect all further traffic to go through the tunnel. The idea that you wouldn’t is ludicrous.
Score: 3 Votes (Like | Disagree)
Will Tisdale ? Avatar
21 months ago

I feel like we need more info here.

As others have said, it would be problematic to silently kill existing connections when connecting to a VPN. That's certainly not the behavior I would expect. I suppose it depends on whether you use a VPN to add certain networks (such as your corporate office), or to globally route all your traffic (such as for privacy reasons). In the former case, I don't want my non-office connections to be reset.

If MacRumors is reporting this right and VPN apps cannot reset connections, that makes me wonder what changed here. Did iOS previously indeed terminate any open socket when connecting?
I feel that people need to learn about the expected behaviour of VPNs before commenting.
There’s actually two types on iOS. Split vpn and full tunnel. Split allows some stuff to be routed elsewhere. Full tunnel tunnels everything.
Score: 3 Votes (Like | Disagree)
Square-Eyes Avatar
21 months ago
I got caught out by the fact that if you tether a device to your phone it will bypass the phone’s VPN ??‍♂️
Score: 2 Votes (Like | Disagree)

Related Stories

studio buds family

Beats Studio Buds Debuting Today With Active Noise Cancellation, Stemless Design, and More for $150

Monday June 14, 2021 8:00 am PDT by
We've seen a lot of teasers about the Beats Studio Buds over the past month since they first showed up in Apple's beta software updates, and today they're finally official. The Beats Studio Buds are available to order today in red, white, and black ahead of a June 24 ship date, and they're priced at $149.99. The Studio Buds are the first Beats-branded earbuds to truly compete with AirPods...
youtube apple tv

YouTube Discontinuing 3rd-Generation Apple TV App, AirPlay Still Available

Wednesday February 3, 2021 3:09 pm PST by
YouTube is planning to stop supporting its YouTube app on the third-generation Apple TV models, where YouTube has long been available as a channel option. A 9to5Mac reader received a message about the upcoming app discontinuation, which is set to take place in March.Starting early March, the YouTube app will no longer be available on Apple TV (3rd generation). You can still watch YouTube on...
gradiente iphone white

Brazilian Electronics Company Revives Long-Running iPhone Trademark Dispute

Tuesday May 19, 2020 1:06 pm PDT by
Apple has been involved in a long-running iPhone trademark dispute in Brazil, which was revived today by IGB Electronica, a Brazilian consumer electronics company that originally registered the "iPhone" name in 2000. IGB Electronica fought a multi-year battle with Apple in an attempt to get exclusive rights to the "iPhone" trademark, but ultimately lost, and now the case has been brought to...
YouTube Picture in Picture Feature

YouTube Premium Subscribers Can Now Use iOS Picture-in-Picture: Here's How

Wednesday August 25, 2021 3:55 am PDT by
Google has rolled out picture-in-picture support as an "experimental" feature for YouTube premium subscribers, allowing them to watch video in a small window when the app is closed. If you're a premium YouTube subscriber looking to try out picture-in-picture, follow these steps: Launch a web browser and sign into your YouTube account at YouTube.com. Navigate to www.youtube.com/new. Scroll...
apple privacy

Apple Publishes FAQ to Address Concerns About CSAM Detection and Messages Scanning

Monday August 9, 2021 1:50 am PDT by
Apple has published a FAQ titled "Expanded Protections for Children" which aims to allay users' privacy concerns about the new CSAM detection in iCloud Photos and communication safety for Messages features that the company announced last week. "Since we announced these features, many stakeholders including privacy organizations and child safety organizations have expressed their support of...
apple screen time screen icons

Persistent Kids Finding Loopholes in Apple's Screen Time Limits

Tuesday October 15, 2019 9:44 am PDT by
Apple is currently engaged in a cat-and-mouse game with persistent kids looking to circumvent Screen Time restrictions, but the company has been receiving some criticism for not moving quickly enough to lock down some of the loopholes, reports The Washington Post. A few of the loopholes and ways for parents to shut them down are documented on the site Protect Young Eyes, while these and...
2012macpro

Apple Outlines Metal-Capable Cards Compatible With macOS Mojave on 2010 and 2012 Mac Pro Models

Monday September 24, 2018 3:26 pm PDT by
Apple's new macOS Mojave update is not compatible with mid-2010 and mid-2012 Mac Pros with stock GPUs, but it is supported on 2010 and 2012 Mac Pro models that have been upgraded with graphics cards that support Metal. Apple today shared a new support document that provides a list of graphics cards that are Metal-capable, which will be useful for 2010 and 2012 Mac Pro owners who want to...
bluetti eb70 main

MacRumors Giveaway: Win a Bluetti EB70 Portable Power Station and 200W Solar Panel

Friday September 3, 2021 11:13 am PDT by
For this week's giveaway, we've teamed up with MAXOAK to offer MacRumors readers a chance to win a Bluetti portable power station and an accompanying solar panel. Bluetti makes a range of portable power station options that are useful for camping, emergencies, power outages, off-grid living, and similar situations. The Bluetti EB70 is a solid middle of the road option that offers 716Wh and...
anker lightning cable mfi

Unwrap a New Apple Device? Stock Up on Extra Certified Lightning Cables for as Little as $6

Monday December 25, 2017 5:45 am PST by
If you unwrapped an Apple product today it likely came with one of the company's first-party Lightning cables, but having an extra on hand is always a good idea, so you can place it in other rooms in your house, in your car, or in a bag when you travel. For that reason, now's a good time to shop for third-party Lightning cables that are cheaper than Apple's own accessory, but still Made For...
ipad pro 10 5

Apple Discontinues 10.5-Inch iPad Pro Following Launch of Lower-Priced 10.5-Inch iPad Air

Monday March 18, 2019 6:09 am PDT by
Apple has stopped selling the second-generation 10.5-inch iPad Pro, originally released in June 2017, after launching a new 10.5-inch iPad Air today. The 10.5-inch iPad Pro had remained available from $649 following the release of 11-inch and 12.9-inch iPad Pro models in October 2018, but it has been replaced by the 10.5-inch iPad Air with a cheaper starting price of $499. The new iPad...