iPhone VPN Security Issues Persist in iOS 16, Researchers Claim - CNET

Two years ago, Proton VPN disclosed a vulnerability successful Apple's iOS that allows a user's VPN postulation to leak extracurricular of the VPN tunnel, unencrypted. 

The vulnerability was initially said to impact iOS mentation 13.3.1. Mullvad VPN besides warned of the issue successful 2020. And this year, researcher Michael Horowitz said the vulnerability exists successful iOS mentation 15.6.1. 

Now, new research claims the vulnerability inactive exists successful iOS 16, the brand-new mentation of Apple's mobile operating system. Security researchers astatine Mysk person demonstrated that iOS 16 communicates with Apple services extracurricular of an progressive VPN tunnel and leaks DNS requests. 

"We corroborate that iOS 16 does pass with Apple services extracurricular an progressive VPN tunnel," the researchers tweeted. "Worse, it leaks DNS requests. Apple services that flight the VPN transportation see Health, Maps, Wallet."

VPN users with critical privateness needs like journalists, dissidents and activists are particularly astatine hazard if their postulation leaks.  

Normally, erstwhile a idiosyncratic connects to a VPN, existing net connections should beryllium terminated by the operating system, past re-established done the encrypted VPN tunnel. Data leaking unencrypted extracurricular of an progressive VPN passageway tin airs superior privateness and information risks due to the fact that a user's existent IP code and different delicate accusation tin beryllium exposed to the user's ISP, web administrators, authorities agencies and cybercriminals.     

Additionally, the researchers indicated that data leaks persisted adjacent with Apple's caller Lockdown Mode enabled. In fact, they accidental the leaks were worse successful that mode.

Update: The Lockdown Mode leaks much postulation extracurricular the VPN passageway than the "normal" mode. It besides sends propulsion notification postulation extracurricular the VPN tunnel. This is weird for an utmost extortion mode.
Here is simply a screenshot of the postulation (VPN and Kill Switch enabled) #iOS pic.twitter.com/25zIFT4EFa

— Mysk 🇨🇦🇩🇪 (@mysk_co) October 13, 2022

Apple did not instantly respond to CNET's petition for comment. But according to Apple's site, Lockdown Mode is "optional, utmost extortion that's designed for the precise fewer individuals who, due to the fact that of who they are oregon what they do, mightiness beryllium personally targeted by immoderate of the astir blase integer threats."

Proton VPN outlined a imaginable workaround successful its blog post documenting the issue. Users should archetypal link to a VPN server, alteration Airplane Mode connected their iOS instrumentality (to termination each net connections and temporarily disable the VPN) and past disable Airplane Mode. The VPN should past reconnect, and each net connections should beryllium re-established done the VPN tunnel. However, Proton VPN does pass that determination is nary 100% warrant that this method volition work.

"This is thing that has unluckily lingered contempt america repeatedly raising the substance with Apple implicit a agelong long of time. Knowing that, it's worthy reiterating that this contented is simply a byproduct of an iOS flaw, not some benignant of bug wrong Proton VPN," a Proton spokesperson told CNET successful an emailed statement. "The leak likewise affects VPN services crossed the board, not simply Proton. This concern is evidently suboptimal, but it does not exposure idiosyncratic browsing past oregon different online activity."