Skip to main content

It's possible Apple's Private Relay VPN isn't so private after all

A potential security flaw in iCloud Private Relay can lead Apple’s VPN to ignore firewall rules and send some data back to the iPhone maker’s servers.

This leak itself was first discovered by the VPN company Mullvad which was monitoring network connections while working on its own app.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

For those unfamiliar, Private Relay functions in a similar way to a VPN tunnel or how Tor works by routing a user’s encrypted network through relay servers before it reaches the internet. The service is currently still in beta and is only available in certain regions though it also requires a paid iCloud+ subscription.

TechRadar Pro reached out to Apple regarding this potential leak in iCloud Private Relay but we’ve yet to hear back at the time of writing. However, since the service is still in beta, this issue could be rectified before it becomes generally available. Since iCloud Private Relay’s beta release coincided with the launch of iOS 15, Apple could make the service available in full with the release of iOS 16 in September of this year.

Ignoring firewall rules

According to a new blog post from Mullvad, the VPN company was monitoring network connections when it noticed that QUIC traffic was leaving one of its computers outside of a VPN tunnel.

Disabling Apple’s Private Relay feature made the leaks stop and the company has even provided instructions so that other users can reproduce the leak on their own. Mullvad also  pointed out in its blog post that Private Relay (mostly) disables itself as soon as any firewall rule is added to the Packet Filter (PF) system firewall on macOS devices. 

As such, the company believes that the leak itself is just some kind of heartbeat signal calling home to Apple. Although it’s impossible to know what information is transmitted to Apple’s servers, the leak does send a clear message to both your local network and ISP that you might be a macOS user.

At this time, Mullvad is unaware of any way to prevent Private Relay from leaking user traffic back to Apple but the company recommends that users disable the feature altogether for the time being if their threat model forbids their local network or ISP from knowing what kinds of devices they’re currently using.

Via AppleInsider



Source: TechRadar

Popular posts from this blog

Review: The Teracube 2e is a more sustainable phone that you can afford

It just got easier to be green. If you know me or read my work here at AC, you know that I feel strongly about a few things when it comes to smartphones and consumer tech, and those things are not necessarily what some of my colleagues or others in the tech-sphere care about. You can have your 10x optical zoom cameras, folding phones, and 50W wireless charging devices all day, but I'm more interested in affordable to mid-range devices that last longer than you'd expect and which are at least trying to do environmental and social good. Sounds great, but it seems that it's harder to find this combination of features in a phone than the ultra-premium specced-out devices we typically talk about here on this website. That's why I was excited when I had the chance to write this Teracube 2e review. Teracube is a relatively new smartphone OEM based out of Redmond, WA, and founder Sharad Mittal's stated goal is to change the "disposable nature of the consumer ele

Google's new Guest Mode is like incognito mode for Google Assistant

Your interactions with Google Assistant will not be saved when Guest Mode is turned on. What you need to know Google Assistant is getting a new Guest Mode for privacy-conscious users. When it's turned on, the virtual assistant will not save any of its interactions with you. Turning it on and off is as simple as a single voice command. Google this week announced a new Guest Mode for its virtual assistant that's designed with privacy-conscious folks in mind. A simple "Hey Google, turn on Guest Mode" will ensure that none of your interactions with Google Assistant are collected by the company and nor will they be used to 'personalize your experience' — often an indirect way of referring to targeted ads. When it's on, the Assistant will play a special chime to let you know. Smart displays with Assistant will also show a guest icon on the screen. And you can always check for yourself by saying, "Hey Google, is Guest Mode on?" Even with G

Spotify Q1 beats on sales of $2B with monthly active users up 31% to 286M

The coronavirus may be decimating some corners of the economy, but the impact on the digital music, as evidenced by the world’s biggest music streaming company, appears to be minimal. Today Spotify reported its earnings for Q1 with revenues of €1.848 billion ($2 billion at today’s rates) and an inching into a positive net income of $1 million. Monthly active users (not total subscribers) now stand at 286 million, with paid (premium) users at 130 million and ad-supported monthly active users at 163 million. Ad-supported users are growing at a slightly higher rate at the moment, at 32% versus 31%, Spotify said. Spotify beat  analysts’ forecasts on both sales — they had on average been expecting revenues of $1.86 billion — and EPS, which had been forecast to be -$0.49 but came in at -$0.20 on a diluted basis and $0.00 undiluted. The numbers underscore the positive signals we’ve had from the wider industry. More generally, we have seen a huge boost in streaming media services — includ

Adobe is giving students and teachers free access to Creative Cloud

Your university's IT admin will need to make an application for access. What you need to know Adobe is temporarily making Creative Cloud free for teachers and students. The offer is aimed at enabling them to continue being productive as they work and study from home. Students cannot individually avail the promo, however, as the application for access needs to be made by a university's IT admin. As universities around the world shut their campuses and organizations ask their employees to work from home, many tech companies are making their products available to educational institutes free for use. Google and Microsoft have both made their large-scale communication and videoconferencing tools free for everyone, and now Adobe is temporarily giving free Creative Cloud access to students and teachers. The subscription, which usually costs $79.49 per month, will give affected students and teachers access to the entire range of Adobe's applications, such as Photoshop