Apple, earlier this week, released iOS 15.6.1 update on all supported iPhones. This update fixes two zero-day vulnerabilities, which the company knows has been exploited in the wild by hackers. While the first bug affects iOS’ kernel and it could give hackers complete access to the targeted iPhone, the second vulnerability could enable hackers to execute any code on the targeted device if the user open a maliciously website on Safari. While Apple has fixed both the bugs, there is another bug that has remained unpatched for almost two year. Also Read - How to schedule emails on iOS 16 with the updated Mail app
Security researcher Michael Horowitz in a blog post has claimed that an unpatched vulnerability leads VPN apps on iOS not to fully route all network traffic through the VPN tunnel and leak sensitive user data. He also says that this vulnerability isn’t new. It was first disclosed to Apple by ProtonVPN back in 2020. Apple, however, hasn’t patched the vulnerability so far. Also Read - iOS 16 hacks: How to use focus mode on your iPhone
The security researcher says that at first, the VPN apps appear to work fine. “The iOS device gets a new public IP address and new DNS servers. Data is sent to the VPN server. But, over time, a detailed inspection of data leaving the iOS device shows that the VPN tunnel leaks. Data leaves the iOS device outside of the VPN tunnel,” he wrote in a blog post. Also Read - Apple iPhone 15 Pro Max might come with exclusive features: Kuo
This is not a classic/legacy DNS leak, it is a data leak. I confirmed this using multiple types of VPN and software from multiple VPN providers,” he added.
For the unversed, once users switch to a VPN connection a ‘tunnel’ is established and all data coming and going from the VPN-connected device is supposed to go through the VPN. However, owning to bug in Apple’s mobile OS, some of the data is leaked outside that tunnel.
Proton VPN that first discovered this bug dubbed as ‘VPN bypass vulnerability’, says that this bug could result in users’ data being exposed if the affected connections are not encrypted themselves. “The more common problem is IP leaks. An attacker could see the users’ IP address and the IP address of the servers they’re connecting to. Additionally, the server you connect to would be able to see your true IP address rather than that of the VPN server,” the company wrote in the blog post.
What is concerning is that even the the vulnerability remains unpatched even in the latest version of Apple’s mobile operating system, that is, iOS 15.6.
The researcher says that he has notified Apple about this bug and that the company hasn’t responded on the matter yet.