Security researchers have discovered that iOS 16 still suffers from an issue that renders VPNs on iPhones partially inoperable. This is because Apple’s mobile OS does not reset connections when a VPN is activated, allowing information to leak out of the secure tunnel.
Despite Apple’s best efforts, VPNs are still not completely secure on iPhones. In July 2022, Apple announced Isolation, a new secure mode for its smartphone, designed to protect users who are particularly exposed to spyware.
This feature enhances the security of Apple’s smartphones by reducing the potential attack surface by making certain features disabled.
Despite this, the problems experienced by VPNs on iOS for some time continue – let’s point out, however, for all intents and purposes, that Apple has never indicated that Isolation Mode changes the behavior of iOS towards VPNs.
No resetting of connections
Security researchers Tommy Mysk and Talal Haj Bakry found and explained to MacRumors that the approach to VPNs in iOS does not change whether Isolation mode is enabled or not.
However, last August it was shown that Apple’s mobile operating systems (iOS and iPadOS) do not pass all traffic through a secure tunnel when a connection is established with a VPN edited by a third-party developer.
Normally, when a VPN is activated, the operating system cuts off all existing Internet connections and re-establishes them through the VPN. However, iOS fails to reset these connections. Thus, they can continue to send data without going through the VPN, leaving unencrypted data accessible to possible surveillance or an attacker.
Update: The Lockdown Mode leaks more traffic outside the VPN tunnel than the “normal” mode. It also sends push notification traffic outside the VPN tunnel. This is weird for an extreme protection mode.here is a screenshot of the traffic (VPN and Kill Switch enabled) #iOS pic.twitter.com/25zIFT4EFa
Even worse, the two security researchers discovered that the Isolation mode sends even more data out of the VPN tunnel than the normal mode. It thus sends traffic from notifications out of the encrypted channel.
The researchers rightly call this practice “strange”.They also argue that iOS 16 communicates with Apple services outside of an active VPN and thus communicates DNS queries without the user’s knowledge. Among the services affected are the Health app, Maps, and Maps.
A long-standing problem
This highly problematic flaw is not new at all, however, and Apple has known about it for some time. Proton, a company that specializes in protecting your online exchanges, whether surfing or via email, has been documenting this problem since iOS 13.3.1. An update that was released on January 28… 2020.
At the time, Apple said it would fix the issue with the implementation of a Kill Switch in a future update, which would allow VPN developers to block all pre-existing connections. But, this feature doesn’t seem to be working very well, as researchers have established their observations by enabling it, while iOS 16.1 is here.
Given this state of affairs, we can only encourage users who rely on VPNs for serious matters to avoid using an iPhone under these conditions. Their telecom operator, surveillance agencies or malicious hacker organizations can indeed circumvent this apparent security.
For the time being, Apple has not released any information on whether the patch will be included in a future iOS update.