Security researchers have brought to light a security issue in iOS 16 that affects VPNs on iPhone. This long-standing problem is still not corrected by Apple! This is bad news, as it means the VPN can leak information outside of the secure tunnel itself!
Apple regularly makes efforts to improve the security of iOS, its mobile system. We can cite for example the “Isolation” protection launched by Apple in July 2022 with the aim of protecting users from spyware. A function that has no impact on the VPN part, but which shows that Apple is making efforts in this area. Indeed, whether the Isolation mode is active or not, it does not make it possible to secure the VPN tunnel (it is rather the opposite effect).
To this day, security issues related to VPN tunnels remain present! Security researchers Tommy Mysk and Talal Haj Bakry are here to remind us, with a new demonstration. When the VPN tunnel is initialized, existing connections are not resets, which means that these connections continue tosend traffic outside the VPN tunnel. The flow outside the VPN tunnel can be unencrypted, which makes it vulnerable to certain attacks, but also to possible surveillance…
Still according to these two security researchers, Isolation mode has a detrimental effect and makes the situation worse! When activated, traffic from notifications is sent outside the VPN tunnel, which is not the case when Isolation mode is disabled. In addition, when a VPN is active, the device continues to communicate with Apple services without using the VPN. This is particularly the case with the applications Maps, Plans, Health, Apple Wallet or the Apple Store.
Update: The Lockdown Mode leaks more traffic outside the VPN tunnel than the “normal” mode. It also sends push notification traffic outside the VPN tunnel. This is weird for an extreme protection mode.
Here is a screenshot of the traffic (VPN and Kill Switch enabled) #iOS pic.twitter.com/25zIFT4EFa
— Musk 🇨🇦🇩🇪 (@mysk_co) October 13, 2022
This security issue affects the system for iPhone, namely iOSas well as the system for iPad tablets, namely iPadOS. However, it does not seem new, because we’ve been talking about it since iOS 13.3.1 available since January 2020!
For the moment, Apple has not communicated on this subject. Anyway, the VPN on iPhone and iPad is to be avoided!