The latest iOS 15 from Apple has gained much attention due to numerous privacy enhancements. However, a vulnerability in the iCloud Private Relay service can expose the real IP addresses of Apple users online. For now, the bug hasn’t received a fix.
Apple iCloud Private Service Relay Vulnerability
In the latest post, security researcher Sergey Mostsevenko from FingerprintJS has shared details about the iCloud Private Relay bug.
Briefly, iCloud Private Relay is a newly launched service from Apple that aims to hide users’ real IP addresses. It means that, with this feature enabled, users can hide their IP addresses and DNS requests to avoid web tracking.
Currently in beta, the tech giant has launched this feature with iOS 15 in iCloud+. The service works by rerouting the traffic first through Apple servers and then via third-party servers that assign a new IP address to the user. In this way, as Apple claims, no one can track the user, including Apple.
However, despite these claims of anonymity, Mostsevenko found a WebRTC bypass that exposes real IP.
As elaborated, WebRTC uses the ICE framework for P2P communication between browsers (while sharing real IP addresses), which further plays a role in communications across NAT via STUN server. So, the glitch appears because Safari doesn’t proxy STUN requests via iCloud Private Relay. Thus, the STUN servers know the actual IP addresses, allowing anyone to access the real IPs by parsing ICE candidates.
In order to get real IP addresses, you need to create a peer connection object with a STUN server, collect the ICE candidates, and parse the values. This method requires no user permissions and works on both HTTP and HTTPS pages. Additionally, it’s fast (the time it takes for a couple of parallel network requests) and leaves no traces in browser development tools.
The researcher has explained the technical details about the whole issue in his post.
No Definitive Patch Yet
After finding the vulnerability, the researcher reported the matter to Apple. However, it largely remains unfixed yet.
Specifically, Apple has addressed the matter with MacOS Monterey beta. However, iOS 15 users need to remain careful. (Currently, the iCloud Private Relay feature is available to iOS15 iCloud+ users on Safari.)