A bug in iOS prevents the VPN encrypt all the traffic

A vulnerability that affects iOS 13.3.1 and later prevents to the virtual private networks (VPN) to encrypt all traffic, enabling a few Internet connections to bypass the encryption, exposing the potential of the data and the IP addresses of the users.

details on the vulnerabilities were shared by Bleeping Computer after it was discovered by ProtonVPN. The vulnerability is caused by the fact that iOS does not terminate all the existing connections when a user connects to a VPN, allowing them to reconnect to the target server once you have established the VPN tunnel.

The connections after you connect to a VPN on a iOS non are affected by this error, but all previously-established connections are not secure. This could potentially lead a user, who believes to be protected, unintentionally exposing an IP address, and then an approximate position.

bug iOS 13.3.1

A screenshot of ProtonVPN that shows the connections exposed to the Apple server which should be protected by the VPN

Push notifications to Apple are cited as an example of a process that uses connections on Apple’s servers, which are not closed automatically when you connect to a VPN, but can affect any app or service running on the device by a user.

The VPN may not work around the problem because iOS does not allow apps VPN of end connections to existing network, so this is a solution that should be implemented by Apple.

Apple is aware of the problem and is working on a solution, but in the meantime, Proton VPN mention the easiest solution:

  • Connect to your VPN
  • Enable airplane Mode
  • Disable airplane mode

“You reconnect it and your other connections should reconnect within the VPN tunnel, even if we can not guarantee 100%.“

Apple says that the other solution is to use device management software to allow “VPN always active to mitigate this problem“.