It's possible Apple's Private Relay VPN isn't so private after all

iCloud Private Relay
(Image credit: Apple)

A potential security flaw in iCloud Private Relay can lead Apple’s VPN to ignore firewall rules and send some data back to the iPhone maker’s servers.

This leak itself was first discovered by the VPN company Mullvad which was monitoring network connections while working on its own app.

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. end of this survey

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.

For those unfamiliar, Private Relay functions in a similar way to a VPN tunnel or how Tor works by routing a user’s encrypted network through relay servers before it reaches the internet. The service is currently still in beta and is only available in certain regions though it also requires a paid iCloud+ subscription.

TechRadar Pro reached out to Apple regarding this potential leak in iCloud Private Relay but we’ve yet to hear back at the time of writing. However, since the service is still in beta, this issue could be rectified before it becomes generally available. Since iCloud Private Relay’s beta release coincided with the launch of iOS 15, Apple could make the service available in full with the release of iOS 16 in September of this year.

Ignoring firewall rules

According to a new blog post from Mullvad, the VPN company was monitoring network connections when it noticed that QUIC traffic was leaving one of its computers outside of a VPN tunnel.

Disabling Apple’s Private Relay feature made the leaks stop and the company has even provided instructions so that other users can reproduce the leak on their own. Mullvad also  pointed out in its blog post that Private Relay (mostly) disables itself as soon as any firewall rule is added to the Packet Filter (PF) system firewall on macOS devices. 

As such, the company believes that the leak itself is just some kind of heartbeat signal calling home to Apple. Although it’s impossible to know what information is transmitted to Apple’s servers, the leak does send a clear message to both your local network and ISP that you might be a macOS user.

At this time, Mullvad is unaware of any way to prevent Private Relay from leaking user traffic back to Apple but the company recommends that users disable the feature altogether for the time being if their threat model forbids their local network or ISP from knowing what kinds of devices they’re currently using.

Via AppleInsider

TOPICS
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Read more
Screenshot of Obscura VPN website
Obscura VPN promises to “set the standard for the next-generation of VPNs”
A person at a laptop with a cybersecure lock symbol floating above it.
Parallels Desktop has some worrying security flaws for Mac users
Laptop with binary computer code and India flag on the screen
VPNs are disappearing from India's app stores – and a 2022 law may be the culprit
A hand holding an iPhone with the iCloud logo on screen.
UK's Apple iCloud backdoor "jeopardizes the security and privacy of millions," warn experts
Mullvad VPN working on a laptop
VPN firm warns against encryption backdoor in new ad
Green background featuring laptop with connect button
I tried the "world's most secure VPN" and while it's not the VPN you'll want, you'll need it sooner than you think
Latest in VPN
Swiss flag with view of Geneva city, Switzerland
Secure encryption and online anonymity are now at risk in Switzerland – here's what you need to know
Demonstrators protesting against the arrest of the Mayor of Istanbul Ekrem Imamoglu block Atatürk Boulevard on March 22, 2025 in Ankara, Türkiye.
Turkey's social media ban has been lifted, but VPN usage is still high
Shape of Russia filled with Russian flag-colored internet codes on a black hacking background
A new wave of blocks in Russia targets VPN apps and Cloudflare subnets
A hand holds a smartphone displaying the NordVPN logo
NordVPN Prime hits lowest-ever price in VPN Spring sale
Digital hand set location on map with two pins. AI technology in GPs, innovation delivery, map location, future transport logistic, route path concept. GPs point. New office location, change address
What does your IP address reveal about you?
ExpressVPN mobile app and Aircove
ExpressVPN ‘reduces workforce’ for the second time in two years
Latest in News
Hisense U8 series TV on wall in living room
Hisense announces 2025 mini-LED TV lineup, with screen sizes up to 100 inches – and a surprising smart TV switch
Nintendo Music teaser art
Nintendo Music expands its library with songs from Kirby and the Forgotten Land and Tetris
An image of Pro-Ject's Flatten it closed and opened
Pro-Ject’s new vinyl flattener will fix any warped LPs you inadvertently buy on Record Store Day
The iPhone 16 Pro on a grey background
iPhone 17 Pro tipped to get 8K video recording – but I want these 3 video features instead
EA Sports F1 25 promotional image featuring drivers Oscar Piastri, Carlos Sainz and Oliver Bearman.
F1 25 has been officially announced, with this year's entry marking a return for Braking Point and a 'significant overhaul' for My Team mode
Garmin clippd integration
Garmin's golf watches just got a big software integration upgrade to help you improve your game