iOS 16 VPN Tunnels Leak Data, Even When Lockdown Mode Is Enabled (macrumors.com) 35
AmiMoJo shares a report from MacRumors: iOS 16 continues to leak data outside an active VPN tunnel, even when Lockdown mode is enabled, security researchers have discovered. Speaking to MacRumors, security researchers Tommy Mysk and Talal Haj Bakry explained that iOS 16's approach to VPN traffic is the same whether Lockdown mode is enabled or not. The news is significant since iOS has a persistent, unresolved issue with leaking data outside an active VPN tunnel.
According to a report from privacy company Proton, an iOS VPN bypass vulnerability had been identified in iOS 13.3.1, which persisted through three subsequent updates. Apple indicated it would add Kill Switch functionality in a future software update that would allow developers to block all existing connections if a VPN tunnel is lost, but this functionality does not appear to prevent data leaks as of iOS 15 and iOS 16. Mysk and Bakry have now discovered that iOS 16 communicates with select Apple services outside an active VPN tunnel and leaks DNS requests without the user's knowledge.
Mysk and Bakry also investigated whether iOS 16's Lockdown mode takes the necessary steps to fix this issue and funnel all traffic through a VPN when one is enabled, and it appears that the exact same issue persists whether Lockdown mode is enabled or not, particularly with push notifications. This means that the minority of users who are vulnerable to a cyberattack and need to enable Lockdown mode are equally at risk of data leaks outside their active VPN tunnel. [...] Due to the fact that iOS 16 leaks data outside the VPN tunnel even where Lockdown mode is enabled, internet service providers, governments, and other organizations may be able to identify users who have a large amount of traffic, potentially highlighting influential individuals. It is possible that Apple does not want a potentially malicious VPN app to collect some kinds of traffic, but seeing as ISPs and governments are then able to do this, even if that is what the user is specifically trying to avoid, it seems likely that this is part of the same VPN problem that affects iOS 16 as a whole.
According to a report from privacy company Proton, an iOS VPN bypass vulnerability had been identified in iOS 13.3.1, which persisted through three subsequent updates. Apple indicated it would add Kill Switch functionality in a future software update that would allow developers to block all existing connections if a VPN tunnel is lost, but this functionality does not appear to prevent data leaks as of iOS 15 and iOS 16. Mysk and Bakry have now discovered that iOS 16 communicates with select Apple services outside an active VPN tunnel and leaks DNS requests without the user's knowledge.
Mysk and Bakry also investigated whether iOS 16's Lockdown mode takes the necessary steps to fix this issue and funnel all traffic through a VPN when one is enabled, and it appears that the exact same issue persists whether Lockdown mode is enabled or not, particularly with push notifications. This means that the minority of users who are vulnerable to a cyberattack and need to enable Lockdown mode are equally at risk of data leaks outside their active VPN tunnel. [...] Due to the fact that iOS 16 leaks data outside the VPN tunnel even where Lockdown mode is enabled, internet service providers, governments, and other organizations may be able to identify users who have a large amount of traffic, potentially highlighting influential individuals. It is possible that Apple does not want a potentially malicious VPN app to collect some kinds of traffic, but seeing as ISPs and governments are then able to do this, even if that is what the user is specifically trying to avoid, it seems likely that this is part of the same VPN problem that affects iOS 16 as a whole.
Re:Where have I heard this before? (Score:5, Informative)
This is much worse than Android. Android makes exactly one request outside the VPN to determine if there is a captive portal.
iOS leaks DNS requests, meaning the websites you are accessing are sent in plaintext over the network. Apple's own apps and the OS also bypass the VPN for certain things.
Re: (Score:2)
Re: (Score:2)
I have to assume you are right about IOS being worse, but if people think any walled garden Cell Phone can be secured, I have a bridge to sell you.
That is a silly comment. The security of a VPN client can be determined through network analysis. We know and can record exactly when a VPN leak occurs and can put a device through a variety of paces. There's no need to put faith in a walled garden here or conversely to doubt the device because of said walled garden. This is measurable.
Re: Where have I heard this before? (Score:2)
Re: (Score:1)
Re:VPNs.. Are they really necessary? (Score:4, Informative)
What do you know? Obviously not much, given that you don't even mention the privacy aspect of VPN use that motivates this article.
VPNs can be used to create "a secure, shared, communal space" -- but they also obscure one's Internet traffic from observation at the source end. Running traffic over a VPN prevents a hotel or local government from surveiling that traffic except in a very coarse way (volume per unit time). Even if all the leaked traffic in this article uses cryptography for integrity and confidentiality of the content, the address information is still exposed to surveillance.
Re: (Score:1)
The "shared" part of that isn't a technical requirement, just a common configuration.
Re: (Score:2)
What kind of "P2P secure connection" would you establish to hide that you're visiting anything from BBC to Pornhub assuming it's either frown upon or just directly blocked in you country/hotel/etc.?
Re: VPNs.. Are they really necessary? (Score:2)
Did you legitimately just say you believe that private individuals having their own secure communal space is not a good idea?
Fascist much? You can fuck right off.
Re: (Score:2)
Well, do not trust vendors (Score:5, Informative)
Even more so in the security space. That said, what "leaks" is that apparently that existing connections do not get closed when VPN is activated. That is a pretty bad design error if the designer claimed that it would cut everything else, but it is not a data leak in the strict sense. After all, these connections existed before and data was going though them before. It is also not a "VPN bypass" as the Proton people claim, because a "VPN bypass" is something you activate _after_ the VPN gets established.
On the risk side, remember that whatever you were doing before activating the VPN was done on the same device. Hence if that activity was a security problem, then your problem already existed before the VPN was activated. Using network connections to services you do not trust and ones you do trust on the same device is generally a really bad idea if the stakes are high (such as in a surveillance state). So while this definitely is a major flaw (again only if the claimed behavior is different), it requires the user to already be doing not smart things to be attacked. And nobody should ever assume that a VPN isolates the system except for the tunnel, unless they have clear confirmation for that. In fact, many VPN solutions support Split-Tunneling where you may go via VPN to a specific place and use the open internet at the same time for everything else.
Re: (Score:2)
The "discovered" link in TFS claims that at least three Apple apps (Maps, Wallet, Health) bypass the VPN. Is that because they have long-lived connections that Apple keeps open, or because they bypass the VPN?
People who want security don't use split tunneling. In the client side, it exists information like you say. On the server side, it makes it much easier for malware / C&C traffic to bypass inspection and network access controls.
Re: (Score:2)
The "discovered" link in TFS claims that at least three Apple apps (Maps, Wallet, Health) bypass the VPN. Is that because they have long-lived connections that Apple keeps open, or because they bypass the VPN?
Apparently, because they have longstanding connections.
As to split-tunneling, I was merely pointing out that merely calling something a "VPN" does not mean everything goes through it. Definitions and their details matter.
Re: Well, do not trust vendors (Score:2)
Re: (Score:2)
The post explicitly states that lockdown should disconnect active insecure connections and reconnect them inside the vpn.
The post is wrong. It is a design decision. Also, you _cannot_ reconnect connections inside the VPN from the outside. Fundamentally impossible. For that, the application has to reconnect by itself.
Re: (Score:2)
Yes, connections get lost all the time, and robust applications need to be able to recover them. If the app cannot reconnect, it must not be a very important connection to keep alive.
For a security-focused mode like Lockdown, keeping non-VPN connections open when a VPN is connected is a misfeature.
Re: (Score:2)
Yes, connections get lost all the time, and robust applications need to be able to recover them. If the app cannot reconnect, it must not be a very important connection to keep alive.
For a security-focused mode like Lockdown, keeping non-VPN connections open when a VPN is connected is a misfeature.
Yes, probably. The question is whether they ever promised anything else and I have not found that they did. The actual fault here may be the level of security Apple indicated (but not clearly specified) this would give you. But when you look at the description, you find that "all connections though VPN" is not actually something they promised. My point is that "VPN" does not necessarily come with this and can still be VPN. Hence what is missing here is some concrete thing Apple promised and then did not del
Re: (Score:2)
The post explicitly states that lockdown should disconnect active insecure connections and reconnect them inside the vpn.
The post is wrong. They are projecting their expectations. Have a look here: https://support.apple.com/en-u... [apple.com]
There is NO PROMISE AT ALL to disconnect existing connections.
Also, you cannot reconnect existing connections that way. Only the application that opened the connection can do that. Makes me think you do not even understand the basics of TCP/IP.
What happened is that some people took flowery, imprecise and misleading language from a vendor (Apple) and then projected their own wishes and hopes on it wi
Re: (Score:2)
The "discovered" link in TFS claims that at least three Apple apps (Maps, Wallet, Health) bypass the VPN. Is that because they have long-lived connections that Apple keeps open, or because they bypass the VPN?
People who want security don't use split tunneling. In the client side, it exists information like you say. On the server side, it makes it much easier for malware / C&C traffic to bypass inspection and network access controls.
And who cares about DNS requests to bog-standard, all iPhones have them, Apple Services? Where in fuck is the espionage value in knowing that a "target" Opened a Connection to Apple's Map Service?
Re: Well, do not trust vendors (Score:2)
Re: (Score:2)
So you are ok with activating VPN and then DNS lookups you perform after that point go through non vpn because the system adjust has an open TCP connection for DNS.
And where did you get that from? Are you functionally illiterate?
What I said is that there are different design options and all are "VPN". Details do matter. If the VPN is, for example, split-tunnel, then yes, I am quite fine with it because I understand what that means. Depending on the scenario, I would be using a split-tunnel VPN or not. Incidentally, I do not do DNS over TCP.
I'm shocked! (Score:2)
The problem is the VPN itself (Score:4, Interesting)
VPN is now an ambiguous term.
Yes, it stands for Virtual Private Network. But no, it has two meanings and only one of would it matter.
The first meaning is of course a way to remotely connect to your company's network over the Internet. You establish a VPN connection to your company and you can work remotely while accessing data and everything as if you were on the local LAN. Here split horizons are often extremely common to avoid routing general user Internet traffic over the corporate VPN, as well as avoid breaking long standing connections - it would be mighty inconvenient if your big download stops because you had to connect to the company to grab a document.
For this, obviously there is no issue and iOS's behavior is completely correct.
The second definition comes from companies like NordVPN that advertise privacy and security, misleadingly so since they only offer local side protection (e.g. using free WiFi). In which case the article is right.
The problem is, there is no one right answer - and saying Apple does things wrong really ignores the fact that for some uses, it's the correct behavior (and some companies will assume you are doing split horizon and block gateway access from VPN).
The only solution would be to add more confusing options when setting up a VPN whether or not all traffic should be routed over it, and to close all connections when using that VPN. But it's likely to be a confusing option and everyone will have it set wrong. Short of Apple simply asking for a VPN type - "Corporate" where you're remotely accessing work resources, or "Personal" when you want to use publiv VPN services.
Re: (Score:2)
The idea is that the VPN app or configs that tell the phone what servers to route VPN traffic through would tell the phone what traffic should be routed through said servers and what shouldn't (including telling the phone that all traffic is to be routed through the VPN which is what NordVPN would be doing). No need for the user to know what settings to toggle.
You're ignoring VPN Lockdown (Score:2)
No, you're confusing the issue by leaving out a detail. The debate here isn't about a generic routing table of a VPN client. It's about a functionality of VPN Lockdown / Kill-switch.
There's no two ways this works. It's not a split tunnel. The documentation quite clearly implies that data will not leak when it is enabled. It's not pretending to be your half arsed corporate VPN, and this is not a case of confusion. It's a design not working as intended or advertised.
Re: (Score:2)
Now that it's too late (Score:3)
Re: (Score:2)
Because you found an example of poor software? Why did it take you to now to realise it?
Sidenote: If the VPN worked properly would you declare Stallman wrong?
As the world moves to QUIC ⦠(Score:2)