An iOS Bug Is Preventing VPN Apps From Encrypting Network Traffic

Last updated September 23, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

All Apple devices running the latest iOS 13.4 are vulnerable to an unfixed bug that prevents VPN apps from encrypting network traffic. It means that a large number of iPhones and iPads (running iOS v13.3.1 or later) using any third-party VPN tool could be exposing their real IP address and network traffic publicly. A ProtonVPN security consultant first discovered this issue, and he rated it with a CVSS v3.1 score of 5.3, so it’s categorized as “medium.” The disclosure comes now, 90 days after it has been reported to Apple, but there’s no fix out yet.

The problem lies in how iOS is handling the internet connections, as none of them are reset when users connect to a VPN. With the existing connections not being terminated, there’s a good chance that the network traffic won’t pass through the VPN tunnel, even though the link with the VPN server has been successfully established. Some connections last for only a few minutes, but some may go for hours before getting reset. It means that you may have created a connection with a VPN server hours ago, but you may be leaking your IP and browsing data out there.

ios-device-network-ip-wireshark

Source: ProtonVPN

The worst part of this flaw is that, while VPNs know about the problem, the iOS isn’t allowing the applications to reset the existing network connections. Thus, there can be no fix coming from the vendors of the VPN apps. Apple suggests that users should deploy “Always-on VPN,” but this wouldn’t solve the problem on third-party VPN apps. The only temporary workaround right now is the following:

  1. Connect to a VPN server.
  2. Turn on airplane mode. This will kill all Internet connections and temporarily disconnect the VPN.
  3. Turn off airplane mode. The VPN will reconnect, and your other connections should also reconnect inside the VPN tunnel.

However, you should keep in mind that even the approach above is not 100% reliable. Some internet reconnections may persist outside the VPN tunnel, rebounding directly from their pre-airplane mode activation state. Unfortunately, due to the nature of this bug, there’s no way to tell if the workaround has helped you or not unless you use a network packet traffic analyzer like Wireshark. If you only see traffic between the device IP and the VPN server on Wireshark, it means you’re protected.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: