Security News > 2020 > March > Apple’s iOS 13.4 hit by VPN bypass vulnerability
Publicised by ProtonVPN, the issue is a bypass flaw caused by iOS not closing existing connections as it establishes a VPN tunnel, affecting iOS 13.3.1 as well as the latest version.
A VPN app should open a private connection to a dedicated server through which all internet traffic from the device is routed before being forwarded to the website or service someone is accessing.
In short, everything that starts after the VPN is loaded will be secure but everything before that moment might not be if it doesn't reset the connection of its own accord.
The VPN will reconnect, and your other connections should also reconnect inside the VPN tunnel.
We have been in contact with Apple, which has acknowledged the VPN bypass vulnerability and is looking into options to mitigate it.
News URL
https://nakedsecurity.sophos.com/2020/03/30/apples-ios-13-4-hit-by-vpn-bypass-vulnerability/
Related news
- Ivanti warns of maximum severity CSA auth bypass vulnerability (source)
- Researchers Uncover Symlink Exploit Allowing TCC Bypass in iOS and macOS (source)
- Researchers Uncover Nuclei Vulnerability Enabling Signature Bypass and Code Execution (source)
- Zero-Day Vulnerability in Ivanti VPN (source)
- New UEFI Secure Boot bypass vulnerability discovered (CVE-2024-7344) (source)
- Apple plugs security hole in its iThings that's already been exploited in iOS (source)
- Apple zero-day vulnerability exploited to target iPhone users (CVE-2025-24085) (source)