Security researchers have discovered that iOS 16 still suffers from an issue that partially disables VPNs on iPhones. In fact, Apple’s mobile OS does not reset connections when a VPN is activated, allowing information to escape through the secure tunnel.
Despite Apple’s efforts to no avail, VPNs on iPhones are still not completely secure. In July 2022, Apple announced quarantineA new safe mode for its smartphone is intended to protect users who are especially vulnerable to spyware.
This feature enhances the security of Apple smartphones, reducing the potential attack surface by disabling certain features. Despite this, the problems with VPNs on iOS have persisted for some time – for all intents and purposes, Apple has never mentioned how iOS replaces iOS.
Does not reset links
Security researchers, Tommy Misk and Talal Haj Bakri observed and briefed our colleagues Macroomers The approach to VPNs on iOS doesn’t change whether Quarantine Mode is enabled or not. However, last August it was demonstrated that Apple’s mobile operating systems (iOS and iPadOS) do not pass all traffic through a secure tunnel when a connection is established with a VPN published by a third-party developer.
Normally, when a VPN is enabled, the operating system disconnects all existing Internet connections and re-establishes them through the VPN. However, iOS fails to restore these connections. Therefore, they can continue to transmit data without going through a VPN, leaving unencrypted data accessible to potential surveillance or attackers.
Update: Lockdown mode leaks more traffic outside the VPN tunnel than “Normal” mode. It also sends push notification traffic outside the VPN tunnel. This is different for the extreme protection mode.
Here is a screenshot of the traffic (with VPN and Kill Switch enabled) #iOS pic.twitter.com/25zIFT4EFa
— Mysk 🇨🇦🇩🇪 (@mysk_co) October 13, 2022
Even worse, two security researchers discovered that quarantine mode sends more data outside the VPN tunnel than normal mode. It sends traffic over encrypted channel announcements. Researchers call this practice “strange.”
They claim that iOS 16 communicates with Apple services outside of an active VPN and thus communicates DNS queries without the user’s knowledge. Affected services include Health, Map and Maps app.
A long time problem
This highly problematic flaw is not new, however, and Apple has known about it for some time. Proton, a company that specializes in securing your online communications via browsing or email, has documented this issue since iOS 13.3.1. Update launched on January 28… 2020.
At that point, Apple will allow VPN developers to block all existing connections in an upcoming update to a kill switch. But, this feature is not very useful because researchers have established their observations by activating it, while iOS 16.1 is available.
Given this situation, we can only encourage users who use VPNs for serious matters to avoid using the iPhone under these conditions. Their telecom operator, surveillance agency, or malicious hacker systems can bypass this apparent protection.
As of now, Apple has not disclosed information about the integration of the patch in a future update of iOS.