Unpatched bug in iOS 13.3.1 and later stops VPNs from encrypting all connections

Posted on Mar 26, 2020 by Caleb Chen
vpn bypass bug in ios 13.3.1 and later keeps VPN from fully working on iphones and ipads

An ongoing security vulnerability in iPhones and iPads is keeping VPN applications from doing their job. For iOS versions 13.3.1 and later, this bug remains unpatched and has been rated with a 5.3 CVSS v3.1 base score. When a VPN connection is initiated on iOS, all existing internet connections by the operating system and other applications are supposed to be terminated and then restarted inside the VPN app’s encrypted tunnel as a proxy so no third parties are able to see your IP address. The VPN bypass bug in iOS 13.3.1 and later causes some internet connections to continue with their original, unencrypted connection – which is a security and privacy concern. This means that people on the same network could snoop on the unencrypted data stream and the endpoint of the unprotected connections are still able to see your device’s IP address.

The “VPN bypass” bug was first disclosed by ProtonVPN on March 25th and first reported by Bleeping Computer. The bug was first revealed to ProtonVPN last year by a security consultant in their community, Luis. Proton disclosed the bug to make all VPN users and other VPN providers aware of the ongoing privacy issue on iOS. This iOS “VPN bypass” vulnerability has been acknowledged by Apple but they have yet to announce when a fix would be incoming.