Arthur T Knackerbracket has processed the following story:
A security researcher says that Apple's iOS devices don't fully route all network traffic through VPNs, a potential security issue the device maker has known about for years.
Michael Horowitz, a longtime computer security blogger and researcher, puts it plainly—if contentiously—in a continually updated blog post. "VPNs on iOS are broken," he says.
Any third-party VPN seems to work at first, giving the device a new IP address, DNS servers, and a tunnel for new traffic, Horowitz writes. But sessions and connections established before a VPN is activated do not terminate and, in Horowitz's findings with advanced router logging, can still send data outside the VPN tunnel while it's active.
In other words, you'd expect a VPN to kill existing connections before establishing a connection so they can be re-established inside the tunnel. But iOS VPNs can't seem to do this, Horowitz says, a finding that is backed up by a similar report from May 2020.
"Data leaves the iOS device outside of the VPN tunnel," Horowitz writes. "This is not a classic/legacy DNS leak, it is a data leak. I confirmed this using multiple types of VPN and software from multiple VPN providers. The latest version of iOS that I tested with is 15.6."
Privacy company Proton previously reported an iOS VPN bypass vulnerability that started at least in iOS 13.3.1. Like Horowitz's post, ProtonVPN's blog noted that a VPN typically closes all existing connections and reopens them inside a VPN tunnel, but that didn't happen on iOS. Most existing connections will eventually end up inside the tunnel, but some, like Apple's push notification service, can last for hours.
(Score: 2) by hendrikboom on Saturday August 20 2022, @01:36AM (7 children)
The question is whether a VPN is supposed to isolate you from anything you can access locally, or just give you a connexion to some faraway network. Both purposes are useful.
I really don't wand my sshfs connexion to my local file server shut down just because I'm using a VPN to persuade some foreign entity I'm calling from France instead of Canada.
(Score: 2) by coolgopher on Saturday August 20 2022, @02:29AM (2 children)
My expectation when bringing up a VPN link (or any other link with better route metric for that matter) is that all new connections will use it, and old connections may use it (and consequently break). Explicit connection of existing connection is not something I would consider a feature.
(Score: 2) by legont on Saturday August 20 2022, @02:36AM (1 child)
That's exactly how my VPN works. In fact if my computer goes down for say power outage, when I bring it up later the network does not work at all until I either restore VPN connection or kill it. Same for any interruption. Basic Linux here.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: -1, Spam) by janibaby on Saturday August 20 2022, @08:19AM
I like that. Basic Linux. Well beyond janrinok.
(Score: 3, Interesting) by isostatic on Saturday August 20 2022, @07:44PM (2 children)
It entirely depends how you set your routing up. I could establish 221 VPNs to 221 different end points and route each /8 out of a different end point, or I could simply have a single VPN and route the entire /0 out, or I could have a couple of VPNs and route private ranges like 10.0/8 and 172.16/12 down one, and maybe dns lookups to 1.1.1.1 and 8.8.8.8 via another, and leave the /0 routing as if I didn't have a VPN
A typical "all host" vpn that nordvpn or whatever will give you will have a default route via the VPN interface, and a specific route to the VPN endpoint via your default gateway.
If you want access to a specific (usually private) network, you'd just set it to route say 10.0.0.0/8 via the VPN and everything else not via the VPN.
(Score: 2) by hendrikboom on Sunday August 21 2022, @11:45AM (1 child)
And the reasonable way you just described seems to be what the iOS VPN apps were doing. And it's how I'd like my own system to work.
Instead, they're being accused of leaking data.
-- hendrik
(Score: 2) by isostatic on Monday August 22 2022, @10:47AM
If I establish a 0.0.0.0/0 vpn route I would expect all packets (aside to those on my local network which don't need a route, and a /32 to the VPN end point the VPN client would insert) to route via the VPN, or not route at all.
What it sounds like ios does is that existing IP packets that are listed in the IOS connection tracker are routed via the previous
So imagine the following
1) You have an SSH connection from your ios public IP of 4.5.6.7 and gateway of 4.5.6.1, to a server of 9.0.0.9
2) You enable the VPN to a public IP of 7.7.7.7 which hides all your traffic from 7.7.7.7
3) You create a new SSH connection to a server on 9.0.0.8, and your source IP is 7.7.7.7, as the outgoing packet is routed via your VPN interface, encrypted, sent via 4.5.6.1 to 7.7.7.7, de-encrypted, translated, and sent on
4) However traffic to your server on 9.0.0.9 still works, because the outgoing traffic remains routing via 4.5.6.1 and is not send via 7.7.7.7
What should happen, and what I assume happens with a typical nordvpn style vpn on a proper computer, is that the packet routes via the VPN, this would be flagged as invalid by the SSH server on 9.0.0.9 (as it's a packet without a SYN flag coming in from an unknown source IP/Port) and dropped
(Score: 2) by bobthecimmerian on Monday August 22 2022, @01:52PM
My supposition is that the majority of iOS users aren't using sshfs connections or anything else that touches the local network. So an iOS VPN should be, intuitively, all or nothing by default and the user should be able to configure exceptions on the rare case they're needed.
I'm surprised by the SoylentNews discussion on this - we're talking about iOS and the people in the discussion seem to assume a higher level of technical sophistication than most iOS users have. (I don't mean to pick on the average iOS user. I would expect the average Android, ChromeOS, and Windows user to have about the same level of technical sophistication.) So if someone starts an app that uses a network connection and then thinks, "Oh yeah, I meant to use a VPN", they shouldn't need to be technically savvy enough to know to restart their device, start the VPN client, and then start the app again.
(Score: 2) by dltaylor on Saturday August 20 2022, @09:12PM
As of a couple of years ago, at least, there was evidence that Apple was bypassing VPNs and using the underlying transport. IIRC, there were some hard-coded Apple addresses (so DNS wasn't needed) used by iOS "features". In addition to the somewhat "as expected" behavior of pre-VPN connections continuing to exist, there appeared to be data exfiltrated to those addresses. This may have been changed in later versions of iOS (or iPhoneOS, or whatever they're calling it now), but I no longer have easy access to an iPhone or iPad.
AFAICT, none of my Android devices have been doing this. Without a Stingray, though, I can't see what Google might be slipping into MMS. I do not see any evidence of "IP over DNS", at least.