A new bug was found on devices operating on iOS 13.3.1 and later, which could prevent virtual private networks (VPNs) from encrypting all traffic, meaning that it would allow some internet connections to circumvent encryption, and then potentially compromising users’ data and IP addresses. Apple is said to be aware of the bug and will be issuing a software update fairly soon.
The report from Bleeping Computer said that the vulnerability is triggered by the fact that iOS sometimes doesn’t terminate all existing connections when the user connects to a VPN, permitting them to reconnect to the destination servers once the VPN tunnel has been established. However, connections made after connecting to a VPN on your iOS device are not affected by this vulnerability.
Proton VPN, the first to discover the bug, said that those at the highest risk due to this security flaw are individuals in countries where surveillance and civil rights violations are widespread. To complicate matters, neither ProtonVPN nor any other VPN provider can provide a workable solution since iOS does not allow the VPN app to kill existing network connections.
For now, VPN users are advised to turn on AirPower Mode and then turn off Airplane Mode to destroy all existing connections.
Apple is notified of the vulnerability and is experimenting with ways to eliminate the security flaw.