A new security vulnerability found in iOS 13.3.1 or later prevents VPNs from effectively encrypting all traffic on iOS devices. The vulnerability could lead to exposure of user’s data and IP addresses despite the device connecting to a secure VPN network.
The bug in iOS does not affect connections made after the device has connected to a VPN network, however the connections that were made prior to connecting to a VPN remain exposed despite connecting to a secured network. The bug has been discovered by a consultant working for the Proton community and reported on ProtonVPN’s website.
The problem occurs as iOS does not terminate connections that were in place before the user connected to a VPN. Normally iOS should terminate all existing internet connections and then reconnect to the destination servers once the VPN is activated. The fact that it is unable to do so in devices running iOS 13.3.1 or later increases the chances of user data getting exposed. The bug could cause user’s data and location to leak while leaving destination servers vulnerable to attacks.
This can be a cause for concern as explained by ProtonVPN…
“Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own.” “However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel.”
Since iOS does not allow VPN services to kill existing networks, they cannot provide a workaround to secure user’s data. This is an issue that can only be fixed via a software update from Apple.
A Potential Workaround
While we wait for Apple to fix this issue, ProtonVPN has offered a temporary workaround that could be helpful.
- Connect your device to a VPN server.
- Enable the Airplane mode on your device through the Control Center.
- Turn off the Airplane mode.
While the solution may work, ProtonVPN itself says it is not 100% reliable. We hope Apple will release an update to fix this problem as soon as possible.