Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
IOS The Internet Iphone Security

iOS 16 VPN Tunnels Leak Data, Even When Lockdown Mode Is Enabled (macrumors.com) 35

AmiMoJo shares a report from MacRumors: iOS 16 continues to leak data outside an active VPN tunnel, even when Lockdown mode is enabled, security researchers have discovered. Speaking to MacRumors, security researchers Tommy Mysk and Talal Haj Bakry explained that iOS 16's approach to VPN traffic is the same whether Lockdown mode is enabled or not. The news is significant since iOS has a persistent, unresolved issue with leaking data outside an active VPN tunnel.

According to a report from privacy company Proton, an iOS VPN bypass vulnerability had been identified in iOS 13.3.1, which persisted through three subsequent updates. Apple indicated it would add Kill Switch functionality in a future software update that would allow developers to block all existing connections if a VPN tunnel is lost, but this functionality does not appear to prevent data leaks as of iOS 15 and iOS 16. Mysk and Bakry have now discovered that iOS 16 communicates with select Apple services outside an active VPN tunnel and leaks DNS requests without the user's knowledge.

Mysk and Bakry also investigated whether iOS 16's Lockdown mode takes the necessary steps to fix this issue and funnel all traffic through a VPN when one is enabled, and it appears that the exact same issue persists whether Lockdown mode is enabled or not, particularly with push notifications. This means that the minority of users who are vulnerable to a cyberattack and need to enable Lockdown mode are equally at risk of data leaks outside their active VPN tunnel. [...] Due to the fact that iOS 16 leaks data outside the VPN tunnel even where Lockdown mode is enabled, internet service providers, governments, and other organizations may be able to identify users who have a large amount of traffic, potentially highlighting influential individuals. It is possible that Apple does not want a potentially malicious VPN app to collect some kinds of traffic, but seeing as ISPs and governments are then able to do this, even if that is what the user is specifically trying to avoid, it seems likely that this is part of the same VPN problem that affects iOS 16 as a whole.

This discussion has been archived. No new comments can be posted.

iOS 16 VPN Tunnels Leak Data, Even When Lockdown Mode Is Enabled

Comments Filter:
  • by gweihir ( 88907 ) on Saturday October 15, 2022 @06:57AM (#62968431)

    Even more so in the security space. That said, what "leaks" is that apparently that existing connections do not get closed when VPN is activated. That is a pretty bad design error if the designer claimed that it would cut everything else, but it is not a data leak in the strict sense. After all, these connections existed before and data was going though them before. It is also not a "VPN bypass" as the Proton people claim, because a "VPN bypass" is something you activate _after_ the VPN gets established.

    On the risk side, remember that whatever you were doing before activating the VPN was done on the same device. Hence if that activity was a security problem, then your problem already existed before the VPN was activated. Using network connections to services you do not trust and ones you do trust on the same device is generally a really bad idea if the stakes are high (such as in a surveillance state). So while this definitely is a major flaw (again only if the claimed behavior is different), it requires the user to already be doing not smart things to be attacked. And nobody should ever assume that a VPN isolates the system except for the tunnel, unless they have clear confirmation for that. In fact, many VPN solutions support Split-Tunneling where you may go via VPN to a specific place and use the open internet at the same time for everything else.

    • by Entrope ( 68843 )

      The "discovered" link in TFS claims that at least three Apple apps (Maps, Wallet, Health) bypass the VPN. Is that because they have long-lived connections that Apple keeps open, or because they bypass the VPN?

      People who want security don't use split tunneling. In the client side, it exists information like you say. On the server side, it makes it much easier for malware / C&C traffic to bypass inspection and network access controls.

      • by gweihir ( 88907 )

        The "discovered" link in TFS claims that at least three Apple apps (Maps, Wallet, Health) bypass the VPN. Is that because they have long-lived connections that Apple keeps open, or because they bypass the VPN?

        Apparently, because they have longstanding connections.

        As to split-tunneling, I was merely pointing out that merely calling something a "VPN" does not mean everything goes through it. Definitions and their details matter.

        • The post explicitly states that lockdown should disconnect active insecure connections and reconnect them inside the vpn.
          • by gweihir ( 88907 )

            The post explicitly states that lockdown should disconnect active insecure connections and reconnect them inside the vpn.

            The post is wrong. It is a design decision. Also, you _cannot_ reconnect connections inside the VPN from the outside. Fundamentally impossible. For that, the application has to reconnect by itself.

            • by Entrope ( 68843 )

              Yes, connections get lost all the time, and robust applications need to be able to recover them. If the app cannot reconnect, it must not be a very important connection to keep alive.

              For a security-focused mode like Lockdown, keeping non-VPN connections open when a VPN is connected is a misfeature.

              • by gweihir ( 88907 )

                Yes, connections get lost all the time, and robust applications need to be able to recover them. If the app cannot reconnect, it must not be a very important connection to keep alive.

                For a security-focused mode like Lockdown, keeping non-VPN connections open when a VPN is connected is a misfeature.

                Yes, probably. The question is whether they ever promised anything else and I have not found that they did. The actual fault here may be the level of security Apple indicated (but not clearly specified) this would give you. But when you look at the description, you find that "all connections though VPN" is not actually something they promised. My point is that "VPN" does not necessarily come with this and can still be VPN. Hence what is missing here is some concrete thing Apple promised and then did not del

          • by gweihir ( 88907 )

            The post explicitly states that lockdown should disconnect active insecure connections and reconnect them inside the vpn.

            The post is wrong. They are projecting their expectations. Have a look here: https://support.apple.com/en-u... [apple.com]
            There is NO PROMISE AT ALL to disconnect existing connections.

            Also, you cannot reconnect existing connections that way. Only the application that opened the connection can do that. Makes me think you do not even understand the basics of TCP/IP.

            What happened is that some people took flowery, imprecise and misleading language from a vendor (Apple) and then projected their own wishes and hopes on it wi

      • The "discovered" link in TFS claims that at least three Apple apps (Maps, Wallet, Health) bypass the VPN. Is that because they have long-lived connections that Apple keeps open, or because they bypass the VPN?

        People who want security don't use split tunneling. In the client side, it exists information like you say. On the server side, it makes it much easier for malware / C&C traffic to bypass inspection and network access controls.

        And who cares about DNS requests to bog-standard, all iPhones have them, Apple Services? Where in fuck is the espionage value in knowing that a "target" Opened a Connection to Apple's Map Service?

    • So you are ok with activating VPN and then DNS lookups you perform after that point go through non vpn because the system adjust has an open TCP connection for DNS.
      • by gweihir ( 88907 )

        So you are ok with activating VPN and then DNS lookups you perform after that point go through non vpn because the system adjust has an open TCP connection for DNS.

        And where did you get that from? Are you functionally illiterate?

        What I said is that there are different design options and all are "VPN". Details do matter. If the VPN is, for example, split-tunnel, then yes, I am quite fine with it because I understand what that means. Depending on the scenario, I would be using a split-tunnel VPN or not. Incidentally, I do not do DNS over TCP.

  • Are they saying an advertising platform driven by surveillance isn't private? I'm shocked, you hear, shocked!
  • by tlhIngan ( 30335 ) <slashdot@worf.ERDOSnet minus math_god> on Saturday October 15, 2022 @10:08AM (#62968615)

    VPN is now an ambiguous term.

    Yes, it stands for Virtual Private Network. But no, it has two meanings and only one of would it matter.

    The first meaning is of course a way to remotely connect to your company's network over the Internet. You establish a VPN connection to your company and you can work remotely while accessing data and everything as if you were on the local LAN. Here split horizons are often extremely common to avoid routing general user Internet traffic over the corporate VPN, as well as avoid breaking long standing connections - it would be mighty inconvenient if your big download stops because you had to connect to the company to grab a document.

    For this, obviously there is no issue and iOS's behavior is completely correct.

    The second definition comes from companies like NordVPN that advertise privacy and security, misleadingly so since they only offer local side protection (e.g. using free WiFi). In which case the article is right.

    The problem is, there is no one right answer - and saying Apple does things wrong really ignores the fact that for some uses, it's the correct behavior (and some companies will assume you are doing split horizon and block gateway access from VPN).

    The only solution would be to add more confusing options when setting up a VPN whether or not all traffic should be routed over it, and to close all connections when using that VPN. But it's likely to be a confusing option and everyone will have it set wrong. Short of Apple simply asking for a VPN type - "Corporate" where you're remotely accessing work resources, or "Personal" when you want to use publiv VPN services.

    • by jonwil ( 467024 )

      The idea is that the VPN app or configs that tell the phone what servers to route VPN traffic through would tell the phone what traffic should be routed through said servers and what shouldn't (including telling the phone that all traffic is to be routed through the VPN which is what NordVPN would be doing). No need for the user to know what settings to toggle.

    • No, you're confusing the issue by leaving out a detail. The debate here isn't about a generic routing table of a VPN client. It's about a functionality of VPN Lockdown / Kill-switch.

      There's no two ways this works. It's not a split tunnel. The documentation quite clearly implies that data will not leak when it is enabled. It's not pretending to be your half arsed corporate VPN, and this is not a case of confusion. It's a design not working as intended or advertised.

      • by tlhIngan ( 30335 )

        No, you're confusing the issue by leaving out a detail. The debate here isn't about a generic routing table of a VPN client. It's about a functionality of VPN Lockdown / Kill-switch.

        There's no two ways this works. It's not a split tunnel. The documentation quite clearly implies that data will not leak when it is enabled. It's not pretending to be your half arsed corporate VPN, and this is not a case of confusion. It's a design not working as intended or advertised.

        There is no "VPN Lockdown mode".

        There is a

  • by bobbutts ( 927504 ) <bobbutts@gmail.com> on Saturday October 15, 2022 @10:54AM (#62968699)
    I finally understand what Stallman was saying about free software. Now that it's gone in the mobile space we're stuck with what we get with no way to fix it.
    • Because you found an example of poor software? Why did it take you to now to realise it?

      Sidenote: If the VPN worked properly would you declare Stallman wrong?

  • This will be expected behaviour, as QUIC sessions can continue even though the source IP and network has changed.

Every nonzero finite dimensional inner product space has an orthonormal basis. It makes sense, when you don't think about it.

Working...