An unpatched vulnerability in iOS 13.3.1 and later means connections established before turning on a VPN will remain outside the VPN’s secure tunnel.
“Typically, when you connect to a virtual private network (VPN), the operating system of your device closes all existing Internet connections and then re-establishes them through the VPN tunnel,” explained VPN provider ProtonVPN.
“A member of the Proton community discovered that in iOS version 13.3.1, the operating system does not close existing connections.”
ProtonVPN said that while most of these connections are short-lived, some of these unprotected connections can remain open for minutes or even hours.
It highlighted that this vulnerability can affect any app or service – including instant messaging apps and Apple’s push notifications.
How user data is exposed
According to ProtonVPN, this vulnerability could allow user data to be exposed if these non-protected connections are not encrypted themselves.
More importantly, however, attackers could see the user’s IP address, as well of the address of the servers they’re connecting to.
This would be the user’s true address, rather than the address of the VPN server.
Because of this, those in countries where surveillance is common are at high risk of having their web history exposed.
How to work around the vulnerability
ProtonVPN said that neither it nor any other VPN service could implement a technical workaround as iOS does not allow VPN apps to terminate existing network connections.
However, users can manually ensure that all old connections are terminated by doing the following:
- Connect to any ProtonVPN server.
- Turn on airplane mode. This will kill all Internet connections and temporarily disconnect ProtonVPN.
- Turn off airplane mode. ProtonVPN will reconnect, and your other connections should also reconnect inside the VPN tunnel.
However, ProtonVPN cautioned that it could not absolutely guarantee that all connections would reconnect inside the VPN tunnel.
Apple has recommended users use Always-on VPN to mitigate this issue, although this does not work for third-party VPNs like ProtonVPN.