IOS vulnerability prevents VPN networks from encrypting web traffic correctly

Information security awareness specialists have revealed the finding of a virtual private network (VPN) bypass vulnerability affecting iOS devices.

Typically, when a user connects to a VPN, their device’s operating system closes all existing Internet connections and then resets them through the VPN tunnel. In iOS version 13.3.1, the operating system fails to close existing connections appropriately. Most connections are short-lived and eventually reset themselves through the VPN tunnel. However, some are persistent and can remain open for minutes, and even hours, outside the VPN tunnel.

For example, Apple push notification service, which maintains a long-lasting connection between the device and the company’s servers, information security awareness specialists say. Although the problem was detected at Apple, researchers say any other similar services could be affected. 

This flaw would allow user data to be exposed if the affected connections are not encrypted, although it should be mentioned that this would not be a normal situation. In fact, this condition could be able to generate an IP leakage scenario, which could allow threat actors to access to affected users’ data.

According to the information security awareness specialists, the most at-risk users are those living in countries where monitoring and monitoring online activities are common, such as China, besides other countries where civil and free Internet use rights scarce.  

The International Institute of Cyber Security (IICS) mentions that connections established after VPN is enabled are not affected by this security flaw. However, connections that are already running prior to VPN service enablement are compromised. Users are encouraged to expect an Apple update. Details about this vulnerability existing in other operating systems could be publicly disclosed in the near future.  

The International Institute of Cyber Security (IICS) also recommends checking the official platforms of the developers of this distribution to download the corresponding updates and find more details about these flaws.