Over the last several weeks, much of the workforce went remote.
From employees to students and everyone in between, working from home is a necessary way to limit the spread of COVID-19 as end-users still work to pay the bills or seek an education.
What helps make this massive switch more secure? A major factor in remote work, particularly for enterprise employees, is a Virtual Private Network (VPN).
But Apple iOS currently has a problem without a patch.
What are VPNs and how is Apple iOS at risk?
Think of a VPN as a trick you play on your computer.
These networks are supposed to keep employees connected to private, corporate networks by extending that privacy across a public network.
VPNs encrypt the traffic so no one can read the data in transit, and security teams across the globe are hard at work connecting employees to corporate networks through VPNs.
But Apple iOS is currently suffering from a VPN bypass vulnerability, according to VPN provider ProtonVPN which went public with it:
Typically, when you connect to a virtual private network, the operating system of your device closes all existing Internet connections and then re-establishes them through the VPN tunnel.
A member of the Proton community discovered that in iOS version 13.3.1, the operating system does not close existing connections. (The issue also persists in the latest version, 13.4.) Most connections are short-lived and will eventually be re-established through the VPN tunnel on their own. However, some are long-lasting and can remain open for minutes to hours outside the VPN tunnel.
And these open VPN tunnels can lead to some dangerous consequences:
The VPN bypass vulnerability could result in users' data being exposed if the affected connections are not encrypted themselves (though this would be unusual nowadays). The more common problem is IP leaks. An attacker could see the users' IP address and the IP address of the servers they're connecting to. Additionally, the server you connect to would be able to see your true IP address rather than that of the VPN server.
The worst part? As of now, there's no patch:
Neither ProtonVPN nor any other VPN service can provide a workaround for this issue because iOS does not permit a VPN app to kill existing network connections.
Now more than ever, VPNs are a necessary way for people to accomplish their work in a physically and digitally safe way. Unfortunately, vulnerabilities like these are increasing the risk for those already working from home.
For more information on this vulnerability, check out ProtonVPN.
[New Resource: SecureWorld Remote Sessions daily online briefings]
