iOS VPNs have leaked traffic for more than 2 years, researcher claims
The leak that the article describes is this: TCP connections that were established before the VPN is enabled continue, without using the VPN. Connections established after the VPN is enabled do use the VPN:
Any third-party VPN seems to work at first, giving the device a new IP address, DNS servers, and a tunnel for new traffic, Horowitz writes. But sessions and connections established before a VPN is activated do not terminate and, in Horowitz’s findings with advanced router logging, can still send data outside the VPN tunnel while it’s active.
TL;DR still some traffic goes to Apple and Amazon services. OK.
Is that ‘only’ with iOS, does anyone know whether macOS/Windows etc reroute 100% traffic through VPN?
ITT: people who didn’t read the srticle
“Horowitz suggests that iOS’s Airplane Mode functions are so confusing as to make this a non-answer.”
Lol, is iOS coded by feet.
Another article that I found that explains what’s happening:
https://blog.disconnect.me/ios-vpn-leak-advisory/
“To Apple’s credit, on September 16, 2020, with the launch of iOS 14 Apple did release a new VPN property, with very limited documentation, called includeAllNetworks that stops the ability of Apple and third-party developers to exploit the cellular interface when a VPN is established.”
“For other VPNs utilizing the Wireguard secure network tunnel, setting includeAllNetworks in our tests has repeatedly resulted in internet connectivity failure. There does appear to be at least one VPN provider offering IncludeAllNetworks as part of their “kill switch” feature, but none of the leading consumer and corporate VPNs that we tested have integrated includeAllNetworks.”
“So not only is Apple creating this issue and not providing a workable fix, but they are also failing to even warn VPN developers or users that the issue exists.”
Lastly, Arstechnica also updates the story behind it:
Update, Aug. 18, 2:40 p.m.: Proton founder and CEO Andy Yen said in a statement: “The fact that this is still an issue is disappointing to say the least. We first notified Apple privately of this issue two years ago. Apple declined to fix the issue, which is why we disclosed the vulnerability to protect the public. Millions of people’s security is in Apple’s hands, they are the only ones who can fix the issue, but given the lack of action for the past two years, we are not very optimistic Apple will do the right thing.”
All you can do really is use a router VPN and turn off cellular. For mobile you can find glinet hotspot routers that can install VPNs but then you have to carry an extra device with you everywhere
So basically, connecting to a VPN like PIA on an iPhone, then connecting to a public WiFi hotspot won’t be of much use. Especially if you have Safari open in the background already? I think I recall times when I enabled VPN but the stuff I wanted to access didn’t work, probably because the prior connection wasn’t being terminated!
EDIT: I learned that this is not broken, but the setting is turned off by default. Devs need to enable it
https://www.reddit.com/r/technology/comments/ws3d1y/ios_vpn_apps_are_broken_says_security_researcher/ikw635y/
I found that iOS/iPadOS/macOS don’t pass local traffic to VPN no matter what. If I’m connected to a network with 192.168.0.0/24 subnet , if I attempt to connect to say 192.168.0.2 , it will try to connect locally rather than going through the vpn and then connecting to that IP on the remote network.
(Edit: using built-in L2TP VPN client, “Send all traffic” enabled)
Windows can be configured to send all traffic via VPN in my experience
The irony of this is that Apple make it so hard to use your own existing infrastructure to determine your own level of security
They’re constantly taking it upon themselves to decide when certain VPN technologies should be declared “obsolete” before completely removing compatibility for those widely used protocols
This is the kind of thing I want raised in antitrust cases, it seems a bit manipulative to have this much control after roping so many people into a hard-to-escape ecosystem
I use apples iCloud private relay. It’s not a vpn but it does the same job of securing my connection, without giving my data to whoever runs it…
This is correct. I’ll also add that if you know how to use Airplane mode (it isn’t that hard, see below), you can use that to shut down all connections. You can then turn Airplane mode off and all connections will then be through the VPN.
Also worth noting is that back in 2016 Apple required all apps to use encryption.
Airplane mode: use Control Center. Turn it on and it will always disable cellular. For WiFi, it will toggle whatever setting you have for Airplane mode. Turn WiFi off in Airplane mode and then subsequently enabling Airplane mode also turns off WiFi. If in doubt, just check and turn off WiFi if needed.
This has been the default behaviour for sockets on macOS for about 15 years now. Darwin uses the source address in the route selection.
Problem is if you have a vpn set to “on demand”you expect it to connect first before network traffic is established as described in Apple documentation. iOS doesn’t do that correctly.So you’ll have traffic going over an insecure network unexpectedly.
Mac OS was not routing everything through VPN for the Apple native apps until a recent fix.
The safest option is to have a dedicated VPN router.
Windows etc reroute 100% traffic through VPN?
Windows does if the tunnel is setup for that which by default it generally is.
Some enterprise VPNs only pass certain IP ranges on purpose.
Microsoft can’t beat around the bush with tools businesses use, unlike Apple who tries to add their own unnecessary flavor in many products.
VONs add a secure route, they don’t force all traffic through that route - at least in every OS I know (Linux, MacOS and windows). It’s common to intentionally split routing between VPN and non-VPN destinations, so that for example LAN traffic doesn’t route to your remote corporate network, or so that you can access corporate resources through a VPN and the rest of the internet directly. if you want a connection to be secure, start it after you start the VPN. This isn’t “leakage” this is how networking works.
As always on Reddit. Or basically everywhere on the internet
Something being confusing* doesn’t mean it isn’t good. If it confuses a expert that can both mean it’s incredibly good or absolutely terrible
That’s not quite what the article describes, I think.