A security researcher Michael Horowitz called VPNs on iOS “a scam.” In a blog post, he exposed the VPN tunnel leaks on iOS devices, with the latest investigated version being 15.6.
Horowitz intended to verify whether all data coming through a VPN-connected device indeed goes through the VPN. What he found was that every VPN on iOS has been leaking data over the course of at least the last two years.
This bug, first discovered by ProtonVPN in 2020, still exists – the tested iOS 15.4.1 still does not terminate existing connections/sessions when it creates a VPN tunnel. This exposes the user to a variety of dangers: there is no guarantee that their connections outside the VPN are encrypted, and they become vulnerable to ISP spying.
The bug affects users of ProtonVPN, WireGuard, Windscribe, and other providers.
Horowitz noted that it’s surprising the problem has persisted for this long. Proton VPN said in a statement that they have previously raised the issue with Apple.
According to Proton, in response, Apple stated that their traffic being VPN-exempt is “expected” and that “Always On VPN is only available on supervised devices enrolled in a mobile device management (MDM) solution.” This restricts the benefit of privacy to those enrolled in a proprietary remote device management framework.
The existing mitigation options seem limited. As such, Proton VPN has recommended enabling Kill Switch, which will block all existing connections whenever a VPN is enabled.
“This is a puzzling statement as the purpose of a VPN Kill Switch is to disconnect the Internet should the VPN tunnel fail. It is not normally involved in existing connections at the time the VPN is enabled,” Horowitz commented on the suggestion. He also said that upon testing for VPN leaks with a Kill Switch on, no difference was noticed.
Another suggested workaround was having Airplane Mode on to first kill all Internet connections and temporarily disconnect a VPN. After, a user should turn Airplane Mode off for a VPN to reconnect. According to Horowitz’s testings, however, this also didn’t seem to help.
“At this point, I see no reason to trust any VPN on iOS. My suggestion would be to make the VPN connection using VPN client software in a router, rather than on an iOS device,” Horowitz concludes.
More from Cybernews:
Subscribe to our newsletter