Select Page

A new as-yet unpatched weakness in Apple’s iCloud Private Relay feature could be circumvented to leak users’ true IP addresses from iOS devices running the latest version of the operating system.

Introduced as a beta with iOS 15, which was officially released this week, iCloud Private Relay aims to improve anonymity on the web by employing a dual-hop architecture that effectively shields users’ IP address, location, and DNS requests from websites and network service providers.

It achieves this by routing users’ internet traffic on the Safari browser through two proxies in order to mask who’s browsing and where that data is coming from in what could be viewed as a simplified version of Tor.

However, the feature is available only to iCloud+ subscribers running iOS 15 or macOS 12 Monterey and above.

“If you read the IP address from an HTTP request received by your server, you’ll get the IP address of the egress proxy,” FingerprintJS researcher Sergey Mostsevenko said. “Nevertheless, you can get the real client’s IP through WebRTC.”

WebRTC, short for Web Real-Time Communication, is an open-source initiative aimed at providing web browsers and mobile applications with real-time communication via APIs that enable peer-to-peer audio and video communication without the need for installing dedicated plugins or apps.

This real-time media exchange between two endpoints is established through a discovery and negotiation process called signaling that involves the use of a framework named Interactive Connectivity Establishment (ICE), which details the methods (aka candidates) that can be used by the two peers to find and establish a connection with one another, irrespective of the network topology.

The vulnerability unearthed by FingerprintJS has to do with a specific candidate dubbed “Server Reflexive Candidate” that’s generated by a STUN server when data from the endpoint needs to be transmitted around a NAT (Network Address Translator). STUN — i.e., Session Traversal Utilities for NAT — is a tool used to retrieve the public IP address and port number of a networked computer situated behind a NAT.

images from Hacker News