iOS 16 VPN Tunnels Leak Data, Even When Lockdown Mode Is Enabled

Even when Lockdown mode is enabled, the data is still being leaked outside of an active tunnel.

According to security researchers Tommy Mysk and Talal Haj Bakry, if Lockdown mode is enabled or not, the approach tovpn traffic is the same. There is a persistent issue with leaking data outside of an active tunnel in the operating system.

Apple has been aware of the issue of third-party VPNs failing to route all network traffic through a secure tunnel for a long time.

When a user uses a virtual private network, the operating system closes all internet connections and then reestablishes them through the tunnel. Security researchers have found that sessions and connections established before the VPN is turned on are not terminated as one would expect, and can still send data outside the tunnel while it is active, exposing it to the internet and other parties.

According to a report from a privacy company, a vulnerability in the mobile operating system persisted through three updates. Apple said it would add Kill Switch in a future software update that would allow developers to block all existing connections if a tunnel is lost, but it doesn't appear to prevent data leaks as ofiOS 15 andiOS 16

Mysk and Bakry have discovered that in order to communicate with Apple services outside of an active tunnel, the user has to know about it.

The exact same issue persists whether Lockdown mode is enabled or not, particularly with push notifications, and Mysk and Bakry investigated whether the necessary steps were taken to fix the issue. The majority of users who need to enable Lockdown mode are not at risk of a data leak outside of their active tunnel.

Lockdown mode is an optional security feature that protects a small group of users who may be at risk of cyberattacks from private companies. Lockdown mode uses the same third-party VPNs as the rest of the system.

Update: The Lockdown Mode leaks more traffic outside the VPN tunnel than the "normal" mode. It also sends push notification traffic outside the VPN tunnel. This is weird for an extreme protection mode.

Here is a screenshot of the traffic (VPN and Kill Switch enabled) #iOS pic.twitter.com/25zIFT4EFa — Mysk 🇨🇦🇩🇪 (@mysk_co) October 13, 2022

Internet service providers, governments, and other organizations may be able to identify users who have a large amount of traffic due to the fact that iOS 16 leaks data outside the tunnel. It is possible that Apple does not want a potentially malicious app to collect some kinds of traffic, but seeing as ISPs and governments are able to do this, even if that is what the user is specifically trying to avoid, it seems likely that this is part of the same VPNs problem that

When Lockdown mode is enabled, Apple only lists high-level features that are activated, and there is no mention of any changes that might affect traffic. Even though Lockdown mode claims to be an extreme protection measure, it seems like there is a lot of oversight regarding the vulnerability of the traffic.