iPhone VPN Security Issues Persist in iOS 16, Researchers Claim

Researchers have shown that iOS still leaks traffic outside the VPN tunnel, even when Apple's new Lockdown Mode is enabled.

Attila Tomaschek
Attila is a Staff Writer for CNET, covering software, apps and services with a focus on virtual private networks. He is an advocate for digital privacy and has been quoted in online publications like Computer Weekly, The Guardian, BBC News, HuffPost, Wired and TechRepublic. When not tapping away on his laptop, Attila enjoys spending time with his family, reading and collecting guitars.
Expertise Attila has nearly a decade's worth of experience with VPNs and has been covering them for CNET since 2021. As CNET's VPN expert, Attila rigorously tests VPNs and offers readers advice on how they can use the technology to protect their privacy online and
Attila Tomaschek
2 min read
VPN icon on smartphone on blue background

A vulnerability in iOS 16 potentially leaks data outside an active VPN tunnel even in Apple's Lockdown Mode.

Sarah Tew/CNET

Two years ago, Proton VPN disclosed a vulnerability in Apple's iOS that allows a user's VPN traffic to leak outside of the VPN tunnel, unencrypted. 

The vulnerability was initially said to affect iOS version 13.3.1. Mullvad VPN also warned of the issue in 2020. And this year, researcher Michael Horowitz said the vulnerability exists in iOS version 15.6.1

Now, new research claims the vulnerability still exists in iOS 16, the brand-new version of Apple's mobile operating system. Security researchers at Mysk have demonstrated that iOS 16 communicates with Apple services outside of an active VPN tunnel and leaks DNS requests. 

"We confirm that iOS 16 does communicate with Apple services outside an active VPN tunnel," the researchers tweeted. "Worse, it leaks DNS requests. Apple services that escape the VPN connection include Health, Maps, Wallet."

VPN users with critical privacy needs like journalists, dissidents and activists are especially at risk if their traffic leaks.  

Normally, when a user connects to a VPN, existing internet connections should be terminated by the operating system, then re-established through the encrypted VPN tunnel. Data leaking unencrypted outside of an active VPN tunnel can pose serious privacy and security risks because a user's true IP address and other sensitive information can be exposed to the user's ISP, network administrators, government agencies and cybercriminals.     

Additionally, the researchers indicated that data leaks persisted even with Apple's new Lockdown Mode enabled. In fact, they say the leaks were worse in that mode.

Apple did not immediately respond to CNET's request for comment. But according to Apple's site, Lockdown Mode is "optional, extreme protection that's designed for the very few individuals who, because of who they are or what they do, might be personally targeted by some of the most sophisticated digital threats."

Proton VPN outlined a potential workaround in its blog post documenting the issue. Users should first connect to a VPN server, enable Airplane Mode on their iOS device (to kill all internet connections and temporarily disable the VPN) and then disable Airplane Mode. The VPN should then reconnect, and all internet connections should be re-established through the VPN tunnel. However, Proton VPN does warn that there is no 100% guarantee that this method will work.

"This is something that has unfortunately lingered despite us repeatedly raising the matter with Apple over a long stretch of time. Knowing that, it's worth reiterating that this issue is a byproduct of an iOS flaw, not some kind of bug within Proton VPN," a Proton spokesperson told CNET in an emailed statement. "The leak likewise affects VPN services across the board, not simply Proton. This situation is obviously suboptimal, but it does not expose user browsing history or other online activity."