Vulnerability in iOS 13.3.1 prevents VPNs from encrypting all traffic

Using a virtual private network (VPN) is the go-to for a lot of folks out there in the wild, but it turns out a bug in iOS 13.3.1 and later is causing some headaches.

The bug was first reported by Bleeping Computer, after initially being discovered by ProtonVPN. According to the discovery, the vulnerability is present in iOS 13.3.1 and later, and it prevents VPNs encrypting all traffic. This means that some internet connections can bypass encryption and therefore potentially expose IP addresses and user data.

Based on the information provided, the iOS versions impacted by this bug are not terminating all existing connections when the device connects via the VPN. This allows them to reconnect to destination servers once the VPN has been successfully established. This also means that this bug only impacts existing connections, and does not affect connections that are made after the VPN has been connected to.

A currently unpatched security vulnerability affecting iOS 13.3.1 or later prevents virtual private network (VPNs) from encrypting all traffic and can lead to some Internet connections bypassing VPN encryption to expose users’ data or leak their IP addresses.

While connections made after connecting to a VPN on your iOS device are not affected by this bug, all previously established connections will remain outside the VPN’s secure tunnel as ProtonVPN disclosed.

The issue is exacerbated by the fact iOS does not allow VPN apps to kill existing connections. This means that, ultimately, Apple will need to patch this issue directly so VPN users can go back to using their service as routinely as they were before. For what it’s worth, Apple is aware of the issue and is exploring options to lessen the issue in the near future.

But there is some good news in that there is a temporary fix:

Until a fix will be provided, Apple recommends using Always-on VPN to mitigate this problem. However, since this workaround uses device management, it cannot be used to mitigate the vulnerability for third-party VPN apps such as ProtonVPN.

ProtonVPN recommends the following this procedure if you are using a third-party VPN:

  1. Connect to a VPN server.
  2. Turn on airplane mode. This will kill all Internet connections and temporarily disconnect the VPN.
  3. Turn off airplane mode. The VPN will reconnect, and your other connections should also reconnect inside the VPN tunnel (not 100% reliable)

So, not the best news for VPN users, but at least a temporary fix is in place, and Apple will hopefully come up with something better soon.