Published on June 6th, 2020 📆 | 2999 Views ⚑
0Serious iPhone Problem In iOS 13.5.1 Update
Apple has endured a few difficult months on the security front, with a trail of issues that have risked shaking user confidence. Whether the mail vulnerability, the so-called âtext bomb,â or the iOS 13.5 zero-day jailbreak, our expectation was that all would be fixed by the time iOS 13.5.1 rolled out. Unfortunately, thatâs not the case. One serious vulnerability has not been fixed, leaving millions at risk. And given the latest iOS releases have been all about security fixes, thatâs a huge surprise.
Back in March, I reported that a serious issue with the way Apple handles VPN traffic had been found in iOS 13.1 onward. That issue remains. Put simply, apps opened after enabling a VPN are safe, but connections open at the time the VPN is enabled can bypass its security and leak your data on the open internet. At the time, I suggested Apple would fix this quicklyâbut apparently not. This is a hidden riskâusers will be totally unaware they are exposed, having enabled their VPNs.
First disclosed by the team at ProtonVPN, the issue has serious consequences for users who rely on VPNs to keep them safeâthink activists, reporters, lawyers and the millions of users in countries with restricted online access. ProtonVPN tells me that the issue impacts popular social media apps and sites, such as Twitter, which ânotify users of new messages,â as well as ânews sites, which continuously update content through a standing connection.â
So, what does this mean in practice? ProtonVPN warns that âif a user, say an activist in Hong Kong, is under surveillance, these exposed connections make it possible for their online activity to be tracked.â The risk, the team says, is not hard to exploit. âThis sort of attack is simple with freely available, easy-to-use software.â
While theoretically sniffing out content is one thing, the obvious protection for users is that most of their content is now encrypted. What isnât encrypted, at least not yet, are the IP addresses that a user accesses and visits. As ever, security agencies and bad actorsâthink authoritarian regimesâcan make full use of this data to identify activists and dissidents. âYou donât need the content to create quite detailed behavior profiles,â ProtonVPN says. âThe metadata is already enough.â
VPN use is undergoing an unprecedented surge as millions find themselves working remotely and with more time than usual on their hands. We also have simultaneous unrest in many parts of there world, where the use of VPNs is critical to protect the identity and locations of those that fear repercussions.
âIn the last couple of weeks, weâve seen a massive increase in VPN use in Hong Kong,â ProtonVPN tells me, âas people defend themselves against government surveillance in light of Beijingâs new security laws. If network operators were required to share data with the authorities, as is the case with all network operators in mainland China, itâs possible that this vulnerability could be used to undermine the VPN protections and spy on normal, law-abiding citizens.â
NordVPN Teams has seen the same spike in activity in Hong Kong, reporting â175% growth in business VPNs and 120 times more usage on personal VPNs, amid cybersecurity and restriction fears.â NordVPN also told me it saw tens of thousands of Hong Kong residents starting to use its software âin the 24-hours after the legislation was announced.â
ProtonVPN tested iOS 13.5.1, confirming the VPN issue remained. According to Andy Yen, ProtonVPNâs CEO, his team âhas raised the vulnerability with Apple on multiple occasions starting over six months ago. We believe the issue really should be resolved because many people trust Apple devices due to supposedly better privacy and security, and this greatly undermines VPN security for all users.â
Apple was approached for any comments on this story before publishing.
ProtonVPN warns that there is no easy workaround, âbecause iOS does not permit a VPN app to kill existing network connections.â The best a user can do, is enable a VPN and then kill their internet connection by temporarily putting the device into flight mode. The theory is that this then reloads all those apps inside the VPNs protection, once the connection is restored. Enterprise users with mobile device management profiles have more advanced âalways onâ options, but these are not available to regular usersâand thatâs most of those at risk from this vulnerability.
Gloss