A new vulnerability in Apple’s iCloud Private Relay feature, which is yet to be fixed, may be used to expose users’ real IP addresses from iOS devices running the most recent version of the OS.
This week, the iCloud Private Relay feature was officially launched with iOS 15. It uses a dual-hop architecture to successfully hide users’ IP address, location, and DNS requests from websites and network service providers, with the goal of improving anonymity on the internet.
It happens by routing users’ internet traffic via two proxies in the Safari browser, thereby masking who is surfing and where the data is coming from in a simplified form of Tor. However, only iCloud+ members with iOS 15 or macOS 12 Monterey or later may use this feature.
If you’re accessing an egress proxy server through HTTP, you’ll get the server’s IP address that sent the request. However, if you’re accessing it through WebRTC (Web Real-Time Communication), you’ll get the client’s actual IP address.
The sharing of real-time media between two ends is carried out through a discovery and negotiation mechanism known as signaling, which involves identifying and establishing a connection with one another.
FingerprintJS discovered a vulnerability in a specific candidate called “Server Reflexive Candidate,” created by a STUN server when data from an endpoint has to be sent through a NAT (Network Address Translator). STUN (Session Traversal Utilities for NAT) is a tool for retrieving a networked computer’s public IP address and the port number behind a NAT.
The issue stems from the fact that such STUN queries aren’t proxied over iCloud Private Relay, resulting in the client’s real IP address being revealed during the signaling phase when the ICE candidates are exchanged.
When Apple was alerted about the issue, it had already included a patch in the newest beta version of macOS Monterey. When employing iCloud Private Relay on iOS 15, however, the breach has remained unpatched.