top of page

Don't Trust That VPN!

This week, MacRumors discussed a vulnerability in IOS VPNs that is particularly unsettling. It is even more worrisome, given that security researchers reported the issue in IOS 13.3.1 in March 2020. VPNs create a secure, shared space where data, services, and communications may occur in private. Further, at the client end, they prevent a hotel, coffee-shop hacker, government, or general busybody from surveilling that traffic. Even if all the leaked traffic in this article uses cryptography (i.e., encrypted DNS using DNS over TLS or DNS over HTTPS) for the integrity and confidentiality of the content, the address information is still exposed to surveillance. Merely capturing this information can reveal much about the client's activity.

In some cases, researchers noted that lockdown mode, which is supposed to force all traffic into the VPN, leaks worse than split-tunnel mode. Simply inexcusable.

The problem remains unresolved in IOS 16. Apple has been aware of this severe flaw for 2.5 years without addressing it.

Android devices have a similar flaw, but the IOS problem is worse. Android intentionally makes a single request outside the VPN to determine if there is a captive portal. In the opinion of many, this is unnecessary, and an RFC (7710) addresses this use case. There are other reported leaks, including calls to the Google DNS servers. However, At the same time, IOS allows connections established before the VPN was enabled to continue and leaks DNS requests, meaning the websites you are accessing appear in plaintext over the host network. Further, Apple's apps and IOS bypass the VPN to send various data to Apple services and Amazon Web Services.

Engaging airplane mode before turning on the VPN reduces the leakage but does not constitute a solution by any means, and one should not trust this as a workaround.

Researchers report this behavior with OpenVPN running Wireguard and believe the behavior is endemic to the operating system, thus affecting any VPN technology. Both Apple and Android owe their users fixes for these problems. MacOS and Windows have issues, too, although the current focus is on mobile platforms. In short, no consumer-grade OS can be appropriately considered secure.

VPNs offer some limited protection but hardly reach the "magic bullet" claims made for them. We do not say VPNs are useless, but If you genuinely need a secure VPN client, you must use a security-focused Linux platform.

13 views0 comments


bottom of page