Apple ignores VPN bug in iOS for months

  • Release Candidate 6
    Guest:
    We are at a “proposed final” true release candidate with nothing known remaining to be changed or fixed. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

MichaelRSorg

Well-known member
Nov 1, 2020
107
17
routersecurity.org
An interesting read from ProtonVPN. Basically, when an iOS VPN kicks in, it does not corral all existing threads/sockets/connections. I have seen this in other VPN contexts too. If you have a professional grade router, you should be able to monitor/log any new outgoing connection that is not destined for the VPN server.
https://protonvpn.com/blog/apple-ios-vulnerability-disclosure/
Its one thing to have a bug, and quite another thing to ignore it for months.
 
There are pro's and cons to killing all current connections where connecting to the VPN. Many applications don't handle this very well. Slack for instance takes many minutes before it realizes that the connection it had established is no longer valid, so no new messages show up and all slack calls are dropped. Thankfully zoom almost doesn't miss a beat. But Slack is hardly alone, SSH, and file transfers both break if you connect to a VPN.

Of course there are privacy/security implications of current connections not using the VPN, but for my usage, where I need to use a VPN tp access certain resources, but find it too slow to leave it on all the time, I like the current implementation.
 
TL;dr: if you're bothered, turn on VPN, then turn on Airplane Mode, pause, turn off Airplane Mode.

I wonder where the CVE for this "vulnerability" is. ProtonVPN blog says Apple addressed the issue in mid-October, but apparently not to ProtonVPN's liking. I don't hear much outrage about this elsewhere.

Turns out ProtonVPN started banging a drum about this is 13.4, last spring. Sophos has, what looks like a good analysis.

@Steve just noted on SN794, Firefox had to step back from encypting all DNS traffic for valid enterprise network concerns. I wonder whether this vpn issue is related to enterprise users.