Two years ago, Proton VPN disclosed a vulnerability in Apple’s iOS that allows a user’s VPN traffic to leak outside of the VPN tunnel, unencrypted.
The vulnerability was initially said to affect iOS version 13.3.1. Mullvad VPN also warned of the issue in 2020. And this year, researcher Michael Horowitz said the vulnerability exists in iOS version 15.6.1.
Now, new research claims the vulnerability still exists in iOS 16, the brand-new version of Apple’s mobile operating system. Security researchers at Mysk have demonstrated that iOS 16 communicates with Apple services outside of an active VPN tunnel and leaks DNS requests.
“We confirm that iOS 16 does communicate with Apple services outside an active VPN tunnel,” the researchers tweeted. “Worse, it leaks DNS requests. Apple services that escape the VPN connection include Health, Maps, Wallet.”
VPN users with critical privacy needs like journalists, dissidents and activists are especially at risk if their traffic leaks.
Normally, when a user connects to a VPN, existing internet connections should be terminated by the operating system, then re-established through the encrypted VPN tunnel. Data leaking unencrypted outside of an active VPN tunnel can pose serious privacy and security risks because a user’s true IP address and other sensitive information can be exposed to the user’s ISP, network administrators, government agencies and cybercriminals.
Additionally, the researchers indicated that data leaks persisted even with Apple’s new Lockdown Mode enabled. In fact, they say the leaks were worse in that mode.
Apple did not immediately respond to CNET’s request for comment. But according to Apple’s site, Lockdown Mode is “optional, extreme protection that’s designed for the very few individuals who, because of who they are or what they do, might be personally targeted by some of the most sophisticated digital threats.”
Proton VPN outlined a potential workaround in its blog post documenting the issue. Users should first connect to a VPN server, enable Airplane Mode on their iOS device (to kill all internet connections and temporarily disable the VPN) and then disable Airplane Mode. The VPN should then reconnect, and all internet connections should be re-established through the VPN tunnel. However, Proton VPN does warn that there is no 100% guarantee that this method will work.
“This is something that has unfortunately lingered despite us repeatedly raising the matter with Apple over a long stretch of time. Knowing that, it’s worth reiterating that this issue is a byproduct of an iOS flaw, not some kind of bug within Proton VPN,” a Proton spokesperson told CNET in an emailed statement. “The leak likewise affects VPN services across the board, not simply Proton. This situation is obviously suboptimal, but it does not expose user browsing history or other online activity.”