Horowitz tested ProtonVPN's app in mid-2022 on an iPad iOS 15.4.1 and found that it still allowed persistent, non-tunneled connections to Apple's push service. The Kill Switch function added to ProtonVPN, which describes its function as blocking all network traffic if the VPN tunnel is lost, did not prevent leaks, according to Horowitz. ProtonVPN indicated in its blog post that Apple would add functionality to block existing connections, but this functionality as added did not appear to make a difference in Horowitz's results. ProtonVPN confirmed that the VPN bypass persisted in three subsequent updates to iOS 13. That might not be a pressing concern for typical VPN users, but it's notable. "Those at highest risk because of this security flaw are people in countries where surveillance and civil rights abuses are common," ProtonVPN wrote at the time. The primary issue with non-tunneled connections persisting is that they could be unencrypted and that the IP address of the user and what they're connecting to can be seen by ISPs and other parties. The latest version of iOS that I tested with is 15.6."
#PROTONVPN IOS SOFTWARE#
I confirmed this using multiple types of VPN and software from multiple VPN providers. "This is not a classic/legacy DNS leak, it is a data leak. "Data leaves the iOS device outside of the VPN tunnel," Horowitz writes. But iOS VPNs can't seem to do this, Horowitz says, a finding that is backed up by a similar report from May 2020. In other words, you might expect a VPN client to kill existing connections before establishing a secure connection so they can be re-established inside the tunnel. But sessions and connections established before a VPN is activated do not terminate and, in Horowitz's findings with advanced router logging, can still send data outside the VPN tunnel while it's active. "VPNs on iOS are broken," he says.Īny third-party VPN seems to work at first, giving the device a new IP address, DNS servers, and a tunnel for new traffic, Horowitz writes. Michael Horowitz, a longtime computer security blogger and researcher, puts it plainly-if contentiously-in a continually updated blog post. Original story: A security researcher says that Apple's iOS devices don't fully route all network traffic through VPNs as a user might expect, a potential security issue the device maker has known about for years. Millions of people’s security is in Apple’s hands, they are the only ones who can fix the issue, but given the lack of action for the past two years, we are not very optimistic Apple will do the right thing.") Apple declined to fix the issue, which is why we disclosed the vulnerability to protect the public. We first notified Apple privately of this issue two years ago.
18, 2:40 p.m.: Proton founder and CEO Andy Yen said in a statement: "The fact that this is still an issue is disappointing to say the least. The ProtonVPN Twitter account also replied to Strafach's Twitter query: "We looked into this hypothesis at the time and determined A) This bug isn't specific to APNS (though that is the most common and easiest to reproduce) B) Notifications are delivered through the VPN tunnel, provided the APNS connection is established once the VPN tunnel is set up.(Update, Aug. ProtonVPN said in its blog posting that even though this issue does occur with APNS traffic, "the problem could impact any app or service, such as instant messaging applications or web beacons." One person responding to Strafach's tweet cited an OpenVPN support FAQ (opens in new tab) that states: "Many Apple services such as Push Notifications and FaceTime are never routed through the VPN tunnel, as per Apple policy."Īnother Tweeter pointed to an Apple document (opens in new tab) that says, "You need a direct, unproxied connection to the APNS servers" to use push notifications or FaceTime. It also appears that Apple goes out of its way to make sure that APNS traffic avoids going through VPNs and proxy services. APNS is the Apple-specific protocol used for FaceTime and push notifications, and it does not behave the exactly the same way as regular internet traffic - but it does use the Apple IP address range.
0 kommentar(er)
