© Contributed by CNET A vulnerability in iOS 16 could potentially leak data from a VPN tunnel that is active even in Apple's lockdown mode. Sarah Tew / CNETTwo years ago, Proton VPN discovered a vulnerability in Apple's iOS that allowed users' VPN traffic to exit an unencrypted VPN tunnel.
The vulnerability initially affects iOS 13.3.1. Mullvad VPN also warned of problems in 2020. And this year, researcher Michael Horowitz said that the vulnerability exists in iOS 15.6.1.
A new study claims the vulnerability still exists in iOS 16 , a new version of Apple's mobile operating system. Mysk security researchers found that iOS 16 interacts with Apple services outside of an active VPN tunnel and leaks DNS queries.
"We can confirm that iOS 16 interacts with Apple services outside of an active VPN tunnel," the researchers tweeted. “Worse yet, it will eliminate DNS queries. Apple services that have avoided VPN connections include Health, Maps, Wallet.
VPN users with critical privacy needs , such as journalists, dissidents, and activists, are especially at risk of having their traffic leaked.
Typically, when a user connects to a VPN, the existing internet connection must be disabled by the operating system and then re-established through an encrypted VPN tunnel. Loss of unencrypted data outside of an active VPN tunnel can pose a serious privacy and security risk, as users' real IP addresses and other sensitive information can be exposed to users' ISPs, network administrators, government agencies, and cybercriminals.
In addition, the researchers note that data leakage will continue even if Apple's new lockdown mode is enabled. In fact, it is said that in this mode, the losses are worse.
Apple did not immediately respond to CNET's request for comment. But according to Apple's website, Lockdown Mode is "additional extreme protection designed for the very few people who, because of who they are or what they do, could be personally targeted by some of the most sophisticated digital threats."
Proton VPN describes a possible solution by documenting the issue on their blog. Users must first connect to a VPN server, enable Airplane Mode on their iOS device (to disable all internet connections and temporarily disable the VPN), and then disable Airplane Mode. The VPN should then be reconnected and all internet connections should be re-established through the VPN tunnel. However, Proton VPN warns that there is no 100% guarantee that this method will work.
“This is something that, unfortunately, persists for a long time, despite our repeated problems with Apple. Knowing this, it is worth reiterating that this issue is the result of an iOS bug and not a bug in Proton VPN,” said a Proton spokesperson. just Proton. This situation is clearly sub-optimal, but it does not reveal the user's browsing history or other online activity."
