A new as-yet unpatched weakness in Apple's iCloud Private Relay feature could be circumvented to leak users' true IP addresses from iOS devices running the latest version of the operating system.
Introduced as a beta with iOS 15, which was officially released this week, iCloud Private Relay aims to improve anonymity on the web by employing a dual-hop architecture that effectively shields users' IP address, location, and DNS requests from websites and network service providers.
It achieves this by routing users' internet traffic on the Safari browser through two proxies in order to mask who's browsing and where that data is coming from in what could be viewed as a simplified version of Tor.
However, the feature is available only to iCloud+ subscribers running iOS 15 or macOS 12 Monterey and above.
"If you read the IP address from an HTTP request received by your server, you'll get the IP address of the egress proxy," FingerprintJS researcher Sergey Mostsevenko said. "Nevertheless, you can get the real client's IP through WebRTC."
WebRTC, short for Web Real-Time Communication, is an open-source initiative aimed at providing web browsers and mobile applications with real-time communication via APIs that enable peer-to-peer audio and video communication without the need for installing dedicated plugins or apps.
This real-time media exchange between two endpoints is established through a discovery and negotiation process called signaling that involves the use of a framework named Interactive Connectivity Establishment (ICE), which details the methods (aka candidates) that can be used by the two peers to find and establish a connection with one another, irrespective of the network topology.
The vulnerability unearthed by FingerprintJS has to do with a specific candidate dubbed "Server Reflexive Candidate" that's generated by a STUN server when data from the endpoint needs to be transmitted around a NAT (Network Address Translator). STUN — i.e., Session Traversal Utilities for NAT — is a tool used to retrieve the public IP address and port number of a networked computer situated behind a NAT.
Specifically, the flaw arises from the fact that such STUN requests aren't proxied through iCloud Private Relay, resulting in a scenario where the real IP address of the client is exposed when the ICE candidates are exchanged during the signaling process. "De-anonymizing you then becomes a matter of parsing your real IP address from the ICE candidates — something easily accomplished with a web application," Mostsevenko said.
FingerprintJS said it alerted Apple to the problem, with the iPhone maker already rolling out a fix in its latest beta version of macOS Monterey. However, the leak has remained unpatched when using iCloud Private Relay on iOS 15.