Two years ago, Proton VPN disclosed a vulnerability in Apple’s iOS that lets in a user’s VPN traffic to leak out of doors of the VPN tunnel, unencrypted.
The vulnerability was as soon as initially said to have an impact on iOS model 13.3.1. Mullvad VPN furthermore warned of the situation in 2020. And this yr, researcher Michael Horowitz said the vulnerability exists in iOS model 15.6.1.
Now, original analysis claims the vulnerability composed exists in iOS 16, the logo-original model of Apple’s cellular operating gadget. Security researchers at Mysk have demonstrated that iOS 16 communicates with Apple products and services out of doors of an active VPN tunnel and leaks DNS requests.
“We explain that iOS 16 does talk with Apple products and services out of doors an active VPN tunnel,” the researchers tweeted. “Worse, it leaks DNS requests. Apple products and services that acquire away the VPN connection include Health, Maps, Pockets.”
VPN customers with vital privacy wants admire journalists, dissidents and activists are particularly at threat if their traffic leaks.
In most cases, when a user connects to a VPN, existing internet connections would perhaps per chance must be terminated by the operating gadget, then re-established by the encrypted VPN tunnel. Information leaking unencrypted out of doors of an active VPN tunnel can pose extreme privacy and security dangers because a user’s correct IP handle and various sensitive information can even furthermore be uncovered to the user’s ISP, network administrators, authorities agencies and cybercriminals.
Moreover, the researchers indicated that information leaks persisted even with Apple’s original Lockdown Mode enabled. In truth, they are saying the leaks had been worse in that mode.
Update: The Lockdown Mode leaks more traffic out of doors the VPN tunnel than the “same previous” mode. It furthermore sends push notification traffic out of doors the VPN tunnel. Right here is uncommon for an coarse protection mode.
Right here’s a screenshot of the traffic (VPN and Shatter Swap enabled) #iOS pic.twitter.com/25zIFT4EFa
— Mysk 🇨🇦🇩🇪 (@mysk_co) October 13, 2022
Apple did no longer straight answer to CNET’s request for commentary. Nonetheless according to Apple’s space, Lockdown Mode is “optional, coarse protection that is designed for the very few individuals who, attributable to who they are or what they enact, would be for my fragment focused by some of basically the most sophisticated digital threats.”
Proton VPN outlined a doubtless workaround in its blog post documenting the situation. Users would perhaps per chance must first join to a VPN server, enable Airplane Mode on their iOS tool (to assassinate all internet connections and rapid disable the VPN) and then disable Airplane Mode. The VPN would perhaps per chance must then reconnect, and all internet connections would perhaps per chance must be re-established by the VPN tunnel. Alternatively, Proton VPN does warn that there isn’t any longer any longer any 100% guarantee that this fashion will work.
“Right here is something that has unfortunately lingered in spite of us recurrently raising the matter with Apple over a lengthy stretch of time. Knowing that, it be fee reiterating that this situation is a byproduct of an iOS flaw, no longer some kind of malicious program within Proton VPN,” a Proton spokesperson instructed CNET in an emailed assertion. “The leak likewise impacts VPN products and services at some stage in the board, no longer simply Proton. This case is clearly suboptimal, however it completely does no longer expose user browsing historical previous or assorted online process.”
