• VPNs on iOS are a scam

    Author
    Topic
    #2470862

    https://www.michaelhorowitz.com/VPNs.on.iOS.are.scam.php

    VPNs on iOS are broken. At first, they appear to work fine. The iOS device gets a new public IP address and new DNS servers. Data is sent to the VPN server. But, over time, a detailed inspection of data leaving the iOS device shows that the VPN tunnel leaks. Data leaves the iOS device outside of the VPN tunnel. This is not a classic/legacy DNS leak, it is a data leak. I confirmed this using multiple types of VPN and software from multiple VPN providers. The latest version of iOS that I tested with is 15.6. This data leak was first publicized by ProtonVPN in March 2020 and iOS v13. (Added this section on Aug. 5, 2022)

    ..Once a VPN connection (the official term is a “tunnel”) is established, all data coming and going from the VPN-connected device is supposed to go through the VPN. Does it? That’s what I set out to verify. Certainly most data passes through the VPN tunnel, but I was curious about all data…

    I ran across a March 2020 blog by ProtonVPN, VPN bypass vulnerability in Apple iOS, that describes a bug in iOS 13 and 14. The nature of the bug is that the VPN tunnel does not assimilate all the bits. Some escape. The Borg would not be happy.

    What ProtonVPN wrote about is a VPN leak, rather than a DNS leak. Connections that exist at the time the VPN tunnel is created, should be terminated and re-started so that they travel through the VPN tunnel. In iOS 13 and 14, this does not happen, at least not by default…

    WORK-AROUNDS

    One suggested solution was an always-on VPN. Quoting ProtonVPN: “Apple recommends using Always-on VPN to mitigate this issue. This method requires using device management, so unfortunately it doesn’t mitigate the issue for third-party applications such as Proton VPN.” So, not a solution for us consumers. But, ProtonVPN had two other suggested work-arounds…

    2 users thanked author for this post.
    Viewing 1 reply thread
    Author
    Replies
    • #2470968

      Here is further proof that VPNs on iOS are broken. The two red boxes say that there is no VPN connection. The two indicators marked in green say there is a VPN connection.

      ios.and_.vpn_.status.confusing3

      Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

      3 users thanked author for this post.
      • #2471286

        Good thorough investigation, hats off to you @Michael432

        Time for apple to publicly fess up?..not likely!
        It is still the status quo after recent exploit patches have been applied according to el reg: https://www.theregister.com/2022/08/19/apple_ios_vpn/

        Has apple been instructed* by higher authorities to leave this unfixed? hands tied with a silent code of conduct fits right in with apple’s disclosure policy doesn’t it….
        OR
        Do apple have their own iVPN service in mind commencing or declining at bootup of the idevice/ macs?
        at an outrageous cost of course for peace of mind albeit with instructions* still in place

        Nevertheless, security comes at a price, and it’s probably NOT your initial thought these days.

        Wonder how GDPR fits into this scheme of VPN ithings?

        • #2471352

          That was an especially well written article.

          Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

    • #2471312

      Has apple been instructed* by higher authorities to leave this unfixed? hands tied with a silent code of conduct fits right in with apple’s disclosure policy doesn’t it….

      Apple claim they have fixed it back in 2019 and that the VPN programmers are to blame not using proper API.

      Apple’s iOS does have ‘hide my IP’ using iCloud “VPN”

    Viewing 1 reply thread
    Reply To: VPNs on iOS are a scam

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: