Apple's New iCloud Private Relay Service Leaks User’s Real IP Addresses
Reading Time: 2 minutes

Apple’s new iCloud private relay service leaks user’s real IP addresses. The iCloud Private Relay was introduced by Apple with iOS 15 earlier this week. It aims to improve anonymity on the web as it employs a dual-hop architecture that effectively shields users’ IP addresses, locations, and DNS requests from websites and network service providers.

The feature enables this by routing users’ internet traffic on the Safari browser through two proxies and hides the person browsing and knowing where the data is coming from, it’s like a simplified version of Tor.

The feature is available for iCloud+ subscribers running iOS 15 or macOS 12 Monterey and above.

FingerprintJS researcher Sergey Mostsevenko said, “If you read the IP address from an HTTP request received by your server, you’ll get the IP address of the egress proxy. Nevertheless, you can get the real client’s IP through WebRTC.”

WebRTC is an open-source initiative aimed at providing web browsers and mobile applications. It offers real-time communication via APIs that enable peer-to-peer audio and video communication and does not require you to install dedicated plugins or apps.

The real-time media exchange between two endpoints is established via a discovery and negotiation process called signaling. This involves the use of a framework named Interactive Connectivity Establishment (ICE). It details the methods (aka candidates) that can be used by the two peers to find and establish a connection with one another, irrespective of the network topology.

FingerprintJS discovered the vulnerability is related to a specific candidate dubbed “Server Reflexive Candidate”, which is generated by a STUN server when data from the endpoint needs to be transmitted around a NAT (Network Address Translator). While STUN(Session Traversal Utilities for NAT ), a tool used to retrieve the public IP address and port number of a networked computer situated behind a NAT.

Since STUN requests are not proxied the flaws arise from it through iCloud Private Relay. This results in a scenario where all the IP addresses of the client are exposed when the ICE candidates are exchanged during the signaling process. According to Mostsevenko, “De-anonymizing you then becomes a matter of parsing your real IP address from the ICE candidates — something easily accomplished with a web application.”

FingerprintJS further added, “it alerted Apple to the problem, with the iPhone maker already rolling out a fix in its latest beta version of macOS Monterey. However, the leak has remained unpatched when using iCloud Private Relay on iOS 15.”

The latest revelation just goes to show how iCloud Private Relay cannot be a replacement for VPNs. While users who are concerned about the visibility of their IP address should prefer to use a real VPN, a browser such a Tor network and completely disable JavaScript from Safari to turn off WebRTC-related features.

Related Articles:

Urgent Apple iPhone Software Update Issued to Tackle Critical Spyware Vulnerability
Cobalt Strike Beacon Linux and Windows Implementation Targets Organizations Worldwide
SOVA – New Android Banking Trojan Keeps Getting Powerful