Use a VPN in your iPhone? This vulnerability may affect you.
Installing a VPN provides (in principle) an additional layer of protection and allows users to navigate more securely over the internet.
A VPN creates a communication tunnel between the user's device (iPhone) and the provider's VPN server. All data traffic that passes through this tunnel will be encrypted point-to-point, this means that:
Protects the user against network attacks (eg, Man-in-the-Middle, Sniffing, Spoofing); If a cyber-criminal monitors traffic, he can see data pass-by but not decrypt or access our communications. Using a VPN protects our traffic and our credentials for critical services (mail, cloud services ...).
Protect user privacy: Internet providers have full visibility of your traffic, encrypting it with a VPN you are protected against the possibility that your privacy is marketed by third parties.
Protect your rights: Internet is a door to freedom that oppressive dictatorships and governments want to limit or use as a tool of repression. Using a VPN allows people like journalists, lawyers, activists... to redirect your traffic in an encrypted way to a safe place, avoiding censorship or repression.
Well, if you are an iPhone user and you have a VPN installed... you have reason for concern.
The issue began when having a VPN installed on my device (iPhone with iOS v_12.4.2) I identified that there were IPs different from the VPN server (which was located in Denmark).
I identified this anomaly thanks to my Firewalla, a device connected to my router and acting as a cybersecurity sentry in my network.
In accordance with the principles, the installed VPN had to encrypt all the traffic on my iPhone and therefore make it inaccessible to anyone (including Firewalla).
However, my surprise was when thanks to Firewalla I identified traffic to Google or Apple services that came out of my iPhone. It was simply incompatible with the principles of a VPN and data traffic encryption...
The next step was to raise the incident with the VPN provider, attaching the Firewalla captures... just a few days later, ProtonVPN engineers identified the security flaw that affects iOS devices:
Some push notifications are excluded from the encryption tunnel that iPhone creates when configuring a VPN on the device.
This vulnerability affects all VPN providers installed on iOS and is serious since it can expose user data to third parties that may be monitoring traffic. In the event that push notifications were headed with the user's credentials, it would jeopardize critical services such as AppleID or GoogleID.
ProtonVPN has reported the incident to Apple and has published a configuration and use recommendations until there is a patch from Apple to resolve the issue (see security alert published by protonVPN).
From @cibersaludables thank and recognize the effort that companies like Firewalla or ProtonVPN put in improving the cybersecurity of all users. A pleasure and an honor to have them as partners in habitoscibersaludables.com