Technology has become so prevalent that we hardly think twice about the apps we use or what information we provide. Smartphones hold anything from our passwords to bank account information, and data security should be a top priority for anyone storing personal information on any electronic device. Apple has boasted about their top-notch security features, but according to security researcher, Michael Horowitz, the tech giant may be ignoring a rather large security issue.
Virtual Private Networks (VPNs) establish a secure, encrypted connection between your device and the internet, providing a safety tunnel for your data when you use a public network. According to Horowitz, third-party VPNs made for iPhones and iPads routinely fail to route all network traffic through a secure tunnel after they have been turned on. Without a protected VPN, devices are more easily susceptible to hackers and data breaches. Horowitz also claims that Apple has been aware of the issue for years.
The researcher explained in a continuously updated blog post that he has tested multiple types of VPN software on iOS devices and discovered that while most seem to work properly in the beginning, over time the VPN tunnel leaks data.
According to Horowitz, “data leaves the iOS device outside of the VPN tunnel. This is not a classic/legacy DNS leak, it is a data leak. I confirmed this using multiple types of VPN and software from multiple VPN providers. The latest version of iOS that I tested was 15.6.”
Proton, a privacy company, has reported a similar issue in the past claiming an iOS VPN bypass vulnerability had been detected in iOS software as early as 13.3.1. As a result, Apple added a Kill Switch functionality, but Horowitz stated that the feature has had no effects on the results of his tests. Proton has suggested a quick-fix by turning the airplane mode on and off to re-establish a connection through the VPN, but made it clear that such actions should not be relied upon as a solution.
Apple has yet to comment on the issue, but Horowitz has promised to keep his blog updated with any response they provide.