iOS VPNs Have Leaked Traffic For More Than 2 Years, Researcher Claims

A security researcher says that Apple's iOS devices don't fully route all network traffic through VPNs as a user might expect, a potential security issue the device maker has known about for years. From a report: Michael Horowitz, a longtime computer security blogger and researcher, puts it plainly -- if contentiously -- in a continually updated blog post. "VPNs on iOS are broken," he says. Any third-party VPN seems to work at first, giving the device a new IP address, DNS servers, and a tunnel for new traffic, Horowitz writes. But sessions and connections established before a VPN is activated do not terminate and, in Horowitz's findings with advanced router logging, can still send data outside the VPN tunnel while it's active.

In other words, you might expect a VPN client to kill existing connections before establishing a secure connection so they can be re-established inside the tunnel. But iOS VPNs can't seem to do this, Horowitz says, a finding that is backed up by a similar report from May 2020. "Data leaves the iOS device outside of the VPN tunnel," Horowitz writes. "This is not a classic/legacy DNS leak, it is a data leak. I confirmed this using multiple types of VPN and software from multiple VPN providers. The latest version of iOS that I tested with is 15.6."

Unclear if this should be seen as a bug

[Improv]

It's nice not to need to special-case the VPN connection itself, and it may be surprising to have existing connections terminated (like ssh sessions).

Re:

[Alain Williams]

it may be surprising to have existing connections terminated (like ssh sessions).

Just what I came here to say.

Re:

[Kernel Kurtz]

Split tunneling is something that should be configured in your VPN software.

Re:

[exomondo]

I used an iPhone 4S. As soon as I could get to Android, I got the fuck out of the Apple ecosystem.

I enjoy being able to do what I want without needing Apple's permission.

Fair enough. The limitations of the Apple ecosystem haven't really affected me but if they did - i.e. somebody came with some awesome thing that the freedom of Android allows but the restrictions of iOS don't - then I would have no issues switching. Though I don't have a big library of purchased apps that I would be leaving behind so that makes the switch pretty trivial.

Apple's devices are the the Camry (or Honda CRV?) of the smartphone world, long-lived, most common smartphone in the world, no significant

Re:

[pacinpm]

Last time I checked you couldn't even move icons freely. It always snapped them so thee is no gaps between icons. Which is sad when you want to avoid certain areas of your wallpaper.

Re:

[exomondo]

Yep, you're right! But that's my point, if that's the sum total of the oppressive iOS ecosystem then it's unsurprising that people don't switch.

Re: This is not a surprise.

[gnasher719]

So you want a match in the ring with Tim Cook. Letâ(TM)s change the rules: Each if you hires a guy to help them. Still want a match?

Re:

[ruurd]

Yes well another misguided person that thinks mobile phones are a general purpose computing platform. They're not. They are consumer electronics really. It is made for 'regular' consumers, not for some homophobic asshole with authority issues.

Yawn

[SuperKendall]

Ugh! So obvious troll. You bore me.

Re:

[ayesnymous]

This is true, for example the iPhone has always been way behind its competitors. Youtube was popular in 2007, but it wasn't until the *third* generation iPhone 3GS came out in 2009 that they finally supported recording video! Meanwhile other phones supported recording videos in 2007.

Also, there was a Samsung Galaxy phone that supported 10X optical zoom back in 2014. Not even the iPhone 14 due out next month is going to support 10X optical zoom. Rumors have it that Apple will wait until 2023 to include 10

Re:

[CapS]

I think I'm responding to a troll here, but have you seen the 2014 Galaxy phone that you're referring to (Samsung Galaxy K Zoom)? It's like they took a huge retracting zoom lens off of a digital camera and attached it onto the back of a phone. It's an interesting experiment, but overall a huge compromise to get even a small amount of optical zoom on there.

While I'll admit that Apple is sometimes late to the party with some features, there's no way they can compete with designs that are a huge compromise in

This is news?

[aaarrrgggh]

I'm pretty surprised that anybody that cares isn't aware of this. My Wireguard VPN will show Active even though it isn't, and when the connection falters it is quite clear what is going on. It would be easy enough on the client side to have a canary verify connection to a remote host prior to sending further traffic.

Re:

[bn-7bc]

Well I'm goung to guess here, but ghe fact that wireguard is udb based, there is no connection state ( at keast nit in the tcp/udp stack) so unless the wg client it self does something ( pings the remote end of the tunnel ( the tunneks default gw)) there is no way for the client ( beyond getting no inbound data) to detect that the tunnel is "down". And during activation well if the hostname resolves the cluent is non the wiser. Since al configs are static ni negotiations are needed, but alkso there are non

Dammit!

[Tablizer]

now we gotta put the VPN on the a VPN. It's VPN's all the way down to the turtles.

Re:

[BladeMelbourne]

Would those turtles happen to ninja, mutant and teenage in age?

Re:

[Tablizer]

Ask Mitch M., he's the resident turtle expert.

Re:

[PPH]

Yo dawg!

I guess notable, but not sure how significant?

[King_TJ]

Doesn't surprise me a security researcher would get all excited to find something like this... but how much impact does it really have for typical use-cases? If I'm understanding correctly here, he's simply saying that if you start a network connection someplace before you connect up your VPN on a Mac, that connection will keep on going, outside the new VPN tunnel. But presumably, all NEW connections started once the VPN is connected will go through it properly?

If so, wouldn't this only be a concern for pe

Re:

[tlhIngan]

Doesn't surprise me a security researcher would get all excited to find something like this... but how much impact does it really have for typical use-cases? If I'm understanding correctly here, he's simply saying that if you start a network connection someplace before you connect up your VPN on a Mac, that connection will keep on going, outside the new VPN tunnel. But presumably, all NEW connections started once the VPN is connected will go through it properly?

If so, wouldn't this only be a concern for peo

Re:

[NoMoreACs]

Doesn't surprise me a security researcher would get all excited to find something like this... but how much impact does it really have for typical use-cases? If I'm understanding correctly here, he's simply saying that if you start a network connection someplace before you connect up your VPN on a Mac, that connection will keep on going, outside the new VPN tunnel. But presumably, all NEW connections started once the VPN is connected will go through it properly?

If so, wouldn't this only be a concern for people who started an activity and then said, "Oops! I meant to hide that in this VPN tunnel but I forgot to launch it first!"?

This is iOS; not macOS.

This is by design

[devslash0]

Just check out what they tried to pull off here. They had to backtrack on their plans because of the public outrage:
https://threatpost.com/apple-k... [threatpost.com]

Re:

[King_TJ]

Well, you've also got to consider, you've got services running on an iOS device like "Find My", which aren't going to do people much good if their reporting is partially based on the IP geographic region of the VPN hosting service, which might be 1,000+ miles from the person who stole the iPhone or iPad.

From some of the posts over on Ars, from people who did a lot more testing of their own on this issue? It sounds like the only traffic at least one of them was seeing "leaking" was related to basic Apple ser

Re:This is by design

[willy_me]

you've got services running on an iOS device like "Find My", which aren't going to do people much good if their reporting is partially based on the IP geographic region of the VPN hosting service

The "Find My" service will not use IP addresses for location lookup. It is nowhere near accurate enough. Instead, Apple maintains a map of observable access points along with associated GPS coordinates for said access points. A device just had to send a list of observed access points along with their signal strength and Apple returns the most likely location.

There was previously a big scandal regarding how Apple was spying on people and reporting their IP address. Well this was overblown. What Apple was actually doing was reporting observed GPS location and observed access points in order to build this map. The underlying reason was to allow for location services. No identifying information required so this was not the big privacy scandal some made it out to be.

Long-dupe?

[93 Escort Wagon]

I can't find the old story, but I'd swear I read about this several months ago.

IOS VPN safety

[NedHamson]

So, I am not expert... Does this mean the SurfEasy VPN that I pay for is only partially safe or not safe at all?

A bit of perspective

[gnasher719]

You created a connection. Everything on that connection was leaking, because you used no VPN. The complaint is about starting VPN which keeps the connection running. But anything before VPN was started did already leak.

VPN Purpose

[nuckfuts]

Whether or not you consider so-called "leaked" traffic to be a problem depends on what you're expecting a VPN to do. As an IT worker, I use VPNs to create a secure tunnel into a private network (e.g. to access my home LAN or office LAN while somewhere else). In this scenario, I don't consider it appropriate or desirable to have *all* my network traffic travel over the VPN tunnel - only the traffic that's actually destined for the target LAN.

What's been happening for a while is that vendors are touting VPNs

You need to run the VPN on another machine

[itsme1234]

Leaks are nearly impossible to kill on "regular" machine, with full connectivity, expected to also talk to the internet normally when the VPN is down and so on. Most VPNs have some kind of "kill switches" but of course they fail in various corner cases. Never mind running this on a black box where you aren't the admin, like the iPhone.

Even if you're a seasoned admin with full control over your box you WILL run into various things you didn't foresee. It's probably more reliable to just run Tails, they're man

not a bug

[ruurd]

Hah I venture the thought that this is a feature. I really would not want to have my connections broken all of a sudden by starting up a VPN. Because if that VPN could do that, what other manipulations of the network stack could go on outside of my knowledge.

Re:

[RatherBeAnonymous]

It's a bug.

Anyone paying for a VPN service is intending to protect ALL of their traffic from threats from the local network. What if you are on a network with a compromised router or DNS server actively performing man-in-the-middle attacks? It absolutely should break active connections because they could be active attacks.

Re:

[NoMoreACs]

It's a bug.

Anyone paying for a VPN service is intending to protect ALL of their traffic from threats from the local network. What if you are on a network with a compromised router or DNS server actively performing man-in-the-middle attacks? It absolutely should break active connections because they could be active attacks.

From Apple's POV, it's a "Damned if you do; damned if you don't" scenario.

Break existing connections, and a zillion angry users complain that "Apple can't do VPNs".

Don't break existing connections, and some zealot, attention-seeking "Security Ex-Spurt" complains "Apple can't do VPNs".

The real answer is that neither behavior is perfect; but maybe Apple could provide either an Option in Settings; or could pop-up a Dialog, asking whether the User wanted Split Tunneling (worded non-technically, of course) for t

Re:

[NoMoreACs]

...but maybe Apple could provide either an Option in Settings; or could pop-up a Dialog, asking whether the User wanted Split Tunneling...

Why would you expect an OS to control that when the app is supposed to?

Perhaps you are unfamiliar with how iOS does Application Preferences.

Many Apps on iOS (especially ones that are kinda "Background-y"), Expose their Configuration Settings in the "Settings" "App". It's just a Design feature of iOS. It theoretically makes it easier for the User to find "Settings" in one place. Dunno; but it is what it is.

Also, if you don't even know enough about iOS to know that most basic fact about how an App can expose its Settings in "Settings", do you really think you should be commentin

Re:

[NoMoreACs]

From Apple's POV, it's a "Damned if you do; damned if you don't" scenario.

Why? It's not a problem for anybody else, just Apple who decides to "think different".

Funny, I read several comments to this Article that claim that Android (and other) VPNs typically work the same way. E.g, https://yro.slashdot.org/comme... [slashdot.org], https://yro.slashdot.org/comme... [slashdot.org]

So, now what?

Re:

[ruurd]

If you are that security conscious then you probably are a tiny minority of a tiny minority because Joe User even does not remotely care or is an interesting party in the first place. Then again chances are that as a security conscious person you have paranoia instead of actually being endangered by this kind of attack. As others have already said: not even remotely interesting. If you are endangered by this kind of attack DO NOT USE A MOBILE PHONE!!! AT ALL.

VPN

[AdamMiller81]

Hello everyone Not so long ago, I wanted to find out where you can find music and download it. My friend recommended this article to me https://clearvpn.com/blog/best... [clearvpn.com], from which I learned about where I can find such places to conveniently download the music I need. It turned out to be really very useful, I recommend you to try it!