image
An unpatched bug in the latest version of Apple’s iOS is blocking virtual private network (VPN) applications from cloaking some private data transmitted between a device and the servers they are requesting data from. While the bug remains unpatched, Apple is suggesting steps users can take to reduce risk, researchers state. The bug, outlined in a report by ProtonVPN, impacts Apple’s most recent iOS 13.4. The flaw is tied to the way VPN security software loads on iOS devices. Post launch, VPN software is supposed to terminates all internet traffic and reestablishes connections as encrypted and protected. Researchers said the Apple VPN bypass bug in iOS fails to terminate all existing connections and leaves a limited amount of data unprotected, such as a device’s IP address, exposing it for a limited window of time. “Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own. However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel,” researchers explained in a technical analysis of the flaw. The bug remains unpatched at a critical time when many are using VPNs under work-at-home and stay-at-home restrictions imposed due to the Covid-19 pandemic. “An attacker could see the users’ IP address and the IP address of the servers they’re connecting to,” according to the post. “Additionally, the server you connect to would be able to see your true IP address rather than that of the VPN server.”…

Source