27.03.2020

Vulnerability in iOS 13.3.1 prevents VPNs from encrypting all traffic

A member of the Proton community discovered that in iOS version 13.3.1, the operating system does not close existing connections when you connect to a virtual private network (VPN). Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own. However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel.

The VPN bypass vulnerability could result in users’ data being exposed if the affected connections are not encrypted themselves (though this would be unusual nowadays). The more common problem is IP leaks. An attacker could see the users’ IP address and the IP address of the servers they’re connecting to. Additionally, the server you connect to would be able to see your true IP address rather than that of the VPN server.

Those at highest risk because of this security flaw are people in countries where surveillance and civil rights abuses are common.Neither ProtonVPN nor any other VPN service can provide a workaround for this issue because iOS does not permit a VPN app to kill existing network connections

How to mitigate the iOS VPN bypass vulnerability:


Internet connections established after you connect to VPN are not affected. But connections that are already running when you connect to VPN may continue outside the VPN tunnel indefinitely. There is no way to guarantee that those connections will be closed at the moment you start a VPN connection. The following techniques to have been shown to be almost as effective:

  • Connect to any ProtonVPN server
  • Turn on airplane mode. This will kill all Internet connections and temporarily disconnect ProtonVPN. 
  • Turn off airplane mode. ProtonVPN will reconnect, and your other connections should also reconnect inside the VPN tunnel, though we cannot guarantee this 100%.

Alternatively, Apple recommends using Always-on VPN to mitigate this issue. This method requires using device management, so unfortunately it doesn’t mitigate the issue for third-party applications