Apple has endured a few difficult months on the security front, with a trail of issues that have risked shaking user confidence. Whether the mail vulnerability, the so-called “text bomb,’ or the iOS 13.5 zero-day jailbreak, our expectation was that all would be fixed by the time iOS 13.5.1 rolled out. Unfortunately, that’s not the case. One serious vulnerability has not been fixed, leaving millions at risk. And given the latest iOS releases have been all about security fixes, that’s a huge surprise.
Get started on your cybersecurity degree at American Military University.
Back in March, I reported that a serious issue with the way Apple handles VPN traffic had been found in iOS 13.1 onward. That issue remains. Put simply, apps opened after enabling a VPN are safe, but connections open at the time the VPN is enabled can bypass its security and leak your data on the open internet. At the time, I suggested Apple would fix this quickly—but apparently not. This is a hidden risk—users will be totally unaware they are exposed, having enabled their VPNs.
First disclosed by the team at ProtonVPN, the issue has serious consequences for users who rely on VPNs to keep them safe—think activists, reporters, lawyers and the millions of users in countries with restricted online access. ProtonVPN tells me that the issue impacts popular social media apps and sites, such as Twitter, which “notify users of new messages,” as well as “news sites, which continuously update content through a standing connection.”
So, what does this mean in practice? ProtonVPN warns that “if a user, say an activist in Hong Kong, is under surveillance, these exposed connections make it possible for their online activity to be tracked.” The risk, the team says, is not hard to exploit. “This sort of attack is simple with freely available, easy-to-use software.”
While theoretically sniffing out content is one thing, the obvious protection for users is that most of their content is now encrypted. What isn’t encrypted, at least not yet, are the IP addresses that a user accesses and visits. As ever, security agencies and bad actors—think authoritarian regimes—can make full use of this data to identify activists and dissidents. “You don’t need the content to create quite detailed behavior profiles,” ProtonVPN says. “The metadata is already enough.”
VPN use is undergoing an unprecedented surge as millions find themselves working remotely and with more time than usual on their hands. We also have simultaneous unrest in many parts of there world, where the use of VPNs is critical to protect the identity and locations of those that fear repercussions.
“In the last couple of weeks, we’ve seen a massive increase in VPN use in Hong Kong,” ProtonVPN tells me, “as people defend themselves against government surveillance in light of Beijing’s new security laws. If network operators were required to share data with the authorities, as is the case with all network operators in mainland China, it’s possible that this vulnerability could be used to undermine the VPN protections and spy on normal, law-abiding citizens.”
NordVPN Teams has seen the same spike in activity in Hong Kong, reporting “175% growth in business VPNs and 120 times more usage on personal VPNs, amid cybersecurity and restriction fears.” NordVPN also told me it saw tens of thousands of Hong Kong residents starting to use its software “in the 24-hours after the legislation was announced.”
ProtonVPN tested iOS 13.5.1, confirming the VPN issue remained. According to Andy Yen, ProtonVPN’s CEO, his team “has raised the vulnerability with Apple on multiple occasions starting over six months ago. We believe the issue really should be resolved because many people trust Apple devices due to supposedly better privacy and security, and this greatly undermines VPN security for all users.”
Apple was approached for any comments on this story before publishing.
ProtonVPN warns that there is no easy workaround, “because iOS does not permit a VPN app to kill existing network connections.” The best a user can do, is enable a VPN and then kill their internet connection by temporarily putting the device into flight mode. The theory is that this then reloads all those apps inside the VPNs protection, once the connection is restored. Enterprise users with mobile device management profiles have more advanced “always on” options, but these are not available to regular users—and that’s most of those at risk from this vulnerability.