Virtual Private Networks on Apple’s iOS devices won’t work because of a software bug, according to n prominent expert, putting the security of potentially millions of users at risk.
In a report, independent computer consultant and former CNET writer Michael Horowitz said that a previously known VPN flaw in iOS devices is still ongoing. The flaw was first pointed out by ProtonVPN in 2020. In short, iOS devices allow some user data to leak outside of the “tunnel” that the VPN creates, possibly allowing data to be tracked or captured without user knowledge.
“At this point, I see no reason to trust any VPN on iOS,” Horowitz said. “My suggestion would be to make the VPN connection using VPN client software in a router, rather than on an iOS device.”
Horowitz conducted his tests by connecting his iPad to a VPN and tracking the iPad’s connection requests via his internet router. If the VPN worked, his router would show an outbound connection request from the iPad to the VPN, and then nothing new after that. Horowitz said that the VPN appeared to work for a couple of minutes on his iPad, however, a “flood” of connection requests were sent out after less than 20 minutes on the VPN.
“A VPN that is not doing what it is supposed to do,” Horowitz said bluntly. “Data is leaving my iPad and not traveling through the VPN tunnel.”
Horowitz said he contacted both Apple and the Cybersecurity and Infrastructure Security Agency to alert them of the issue but received no reply from either the Cupertino tech giant or the CISA.
“It takes so little time and effort to re-create this, and the problem is so consistent, that if they tried at all, they should have been able to re-create it,” he said. “None of my business. Maybe they are hoping, that like ProtonVPN, I will just move on and drop it. Dunno.”
VPNs are crucial tools for data security, especially for people in potentially hostile countries. Earlier this month, The New York Times reported that Russia was diverting all of the internet traffic in occupied parts of Ukraine back to Russian networks. A VPN would allow Ukrainian users to skirt these Russian networks and remain undetected. However, with the issue pointed out by ProtonVPN and Horowitz, iPhone users attempting to use a VPN in Ukraine—and other hostile countries—could still be at risk.