Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
IOS Privacy Safari Apple

iOS VPNs Have Leaked Traffic For More Than 2 Years, Researcher Claims (arstechnica.com) 45

A security researcher says that Apple's iOS devices don't fully route all network traffic through VPNs as a user might expect, a potential security issue the device maker has known about for years. From a report: Michael Horowitz, a longtime computer security blogger and researcher, puts it plainly -- if contentiously -- in a continually updated blog post. "VPNs on iOS are broken," he says. Any third-party VPN seems to work at first, giving the device a new IP address, DNS servers, and a tunnel for new traffic, Horowitz writes. But sessions and connections established before a VPN is activated do not terminate and, in Horowitz's findings with advanced router logging, can still send data outside the VPN tunnel while it's active.

In other words, you might expect a VPN client to kill existing connections before establishing a secure connection so they can be re-established inside the tunnel. But iOS VPNs can't seem to do this, Horowitz says, a finding that is backed up by a similar report from May 2020. "Data leaves the iOS device outside of the VPN tunnel," Horowitz writes. "This is not a classic/legacy DNS leak, it is a data leak. I confirmed this using multiple types of VPN and software from multiple VPN providers. The latest version of iOS that I tested with is 15.6."

This discussion has been archived. No new comments can be posted.

iOS VPNs Have Leaked Traffic For More Than 2 Years, Researcher Claims

Comments Filter:
  • It's nice not to need to special-case the VPN connection itself, and it may be surprising to have existing connections terminated (like ssh sessions).

  • I'm pretty surprised that anybody that cares isn't aware of this. My Wireguard VPN will show Active even though it isn't, and when the connection falters it is quite clear what is going on. It would be easy enough on the client side to have a canary verify connection to a remote host prior to sending further traffic.

    • by bn-7bc ( 909819 )
      Well I'm goung to guess here, but ghe fact that wireguard is udb based, there is no connection state ( at keast nit in the tcp/udp stack) so unless the wg client it self does something ( pings the remote end of the tunnel ( the tunneks default gw)) there is no way for the client ( beyond getting no inbound data) to detect that the tunnel is "down". And during activation well if the hostname resolves the cluent is non the wiser. Since al configs are static ni negotiations are needed, but alkso there are non
  • now we gotta put the VPN on the a VPN. It's VPN's all the way down to the turtles.

  • Doesn't surprise me a security researcher would get all excited to find something like this... but how much impact does it really have for typical use-cases? If I'm understanding correctly here, he's simply saying that if you start a network connection someplace before you connect up your VPN on a Mac, that connection will keep on going, outside the new VPN tunnel. But presumably, all NEW connections started once the VPN is connected will go through it properly?

    If so, wouldn't this only be a concern for pe

    • by tlhIngan ( 30335 )

      Doesn't surprise me a security researcher would get all excited to find something like this... but how much impact does it really have for typical use-cases? If I'm understanding correctly here, he's simply saying that if you start a network connection someplace before you connect up your VPN on a Mac, that connection will keep on going, outside the new VPN tunnel. But presumably, all NEW connections started once the VPN is connected will go through it properly?

      If so, wouldn't this only be a concern for peo

    • Doesn't surprise me a security researcher would get all excited to find something like this... but how much impact does it really have for typical use-cases? If I'm understanding correctly here, he's simply saying that if you start a network connection someplace before you connect up your VPN on a Mac, that connection will keep on going, outside the new VPN tunnel. But presumably, all NEW connections started once the VPN is connected will go through it properly?

      If so, wouldn't this only be a concern for people who started an activity and then said, "Oops! I meant to hide that in this VPN tunnel but I forgot to launch it first!"?

      This is iOS; not macOS.

  • by devslash0 ( 4203435 ) on Wednesday August 17, 2022 @04:37PM (#62798513)

    Just check out what they tried to pull off here. They had to backtrack on their plans because of the public outrage:
    https://threatpost.com/apple-k... [threatpost.com]

    • by King_TJ ( 85913 )

      Well, you've also got to consider, you've got services running on an iOS device like "Find My", which aren't going to do people much good if their reporting is partially based on the IP geographic region of the VPN hosting service, which might be 1,000+ miles from the person who stole the iPhone or iPad.

      From some of the posts over on Ars, from people who did a lot more testing of their own on this issue? It sounds like the only traffic at least one of them was seeing "leaking" was related to basic Apple ser

      • Re:This is by design (Score:4, Informative)

        by willy_me ( 212994 ) on Wednesday August 17, 2022 @06:00PM (#62798671)

        you've got services running on an iOS device like "Find My", which aren't going to do people much good if their reporting is partially based on the IP geographic region of the VPN hosting service

        The "Find My" service will not use IP addresses for location lookup. It is nowhere near accurate enough. Instead, Apple maintains a map of observable access points along with associated GPS coordinates for said access points. A device just had to send a list of observed access points along with their signal strength and Apple returns the most likely location.

        There was previously a big scandal regarding how Apple was spying on people and reporting their IP address. Well this was overblown. What Apple was actually doing was reporting observed GPS location and observed access points in order to build this map. The underlying reason was to allow for location services. No identifying information required so this was not the big privacy scandal some made it out to be.

  • I can't find the old story, but I'd swear I read about this several months ago.

  • So, I am not expert... Does this mean the SurfEasy VPN that I pay for is only partially safe or not safe at all?
  • You created a connection. Everything on that connection was leaking, because you used no VPN. The complaint is about starting VPN which keeps the connection running. But anything before VPN was started did already leak.
  • Whether or not you consider so-called "leaked" traffic to be a problem depends on what you're expecting a VPN to do. As an IT worker, I use VPNs to create a secure tunnel into a private network (e.g. to access my home LAN or office LAN while somewhere else). In this scenario, I don't consider it appropriate or desirable to have *all* my network traffic travel over the VPN tunnel - only the traffic that's actually destined for the target LAN.

    What's been happening for a while is that vendors are touting VPNs

  • Leaks are nearly impossible to kill on "regular" machine, with full connectivity, expected to also talk to the internet normally when the VPN is down and so on. Most VPNs have some kind of "kill switches" but of course they fail in various corner cases. Never mind running this on a black box where you aren't the admin, like the iPhone.

    Even if you're a seasoned admin with full control over your box you WILL run into various things you didn't foresee. It's probably more reliable to just run Tails, they're man

  • Hah I venture the thought that this is a feature. I really would not want to have my connections broken all of a sudden by starting up a VPN. Because if that VPN could do that, what other manipulations of the network stack could go on outside of my knowledge.
    • It's a bug.

      Anyone paying for a VPN service is intending to protect ALL of their traffic from threats from the local network. What if you are on a network with a compromised router or DNS server actively performing man-in-the-middle attacks? It absolutely should break active connections because they could be active attacks.

      • It's a bug.

        Anyone paying for a VPN service is intending to protect ALL of their traffic from threats from the local network. What if you are on a network with a compromised router or DNS server actively performing man-in-the-middle attacks? It absolutely should break active connections because they could be active attacks.

        From Apple's POV, it's a "Damned if you do; damned if you don't" scenario.

        Break existing connections, and a zillion angry users complain that "Apple can't do VPNs".

        Don't break existing connections, and some zealot, attention-seeking "Security Ex-Spurt" complains "Apple can't do VPNs".

        The real answer is that neither behavior is perfect; but maybe Apple could provide either an Option in Settings; or could pop-up a Dialog, asking whether the User wanted Split Tunneling (worded non-technically, of course) for t

      • by ruurd ( 761243 )
        If you are that security conscious then you probably are a tiny minority of a tiny minority because Joe User even does not remotely care or is an interesting party in the first place. Then again chances are that as a security conscious person you have paranoia instead of actually being endangered by this kind of attack. As others have already said: not even remotely interesting. If you are endangered by this kind of attack DO NOT USE A MOBILE PHONE!!! AT ALL.
  • Hello everyone Not so long ago, I wanted to find out where you can find music and download it. My friend recommended this article to me https://clearvpn.com/blog/best... [clearvpn.com], from which I learned about where I can find such places to conveniently download the music I need. It turned out to be really very useful, I recommend you to try it!

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...