Apple's iOS 9 Breaks VPNs

An anonymous reader writes with a report from The Stack that researchers have discovered a crucial security problem in the latest version of iOS 9: it breaks VPN connections to corporate servers. According to the linked piece, "The flaw was first detected in the iOS 9 beta, and has not been fixed in the released version. Neither has the bug been removed in the current iOS 9.1 beta." The workaround might not be what you want to hear, either, if you've happily upgraded to the latest version: it's to downgrade to iOS 8.4.1.

Good for the minnions

[Anonymous Coward]

All the C-levels will be disconnected so we can get work done.

And here I thought Apple was a true business player.

Re:Good for the minnions

[MouseR]

We're using Cisco's VPNs at the office and I've not observed it to be broken under iOS 9. Ditto for a colleague of mine.

Re:Good for the minnions

[zlives]

FTA "Most notable is that when doing split tunneling, the Tunnel All DNS option no longer functions as expected."

your setup maybe using public dns or published apps like Citrix.

Re:

[gweihir]

So I take it this is a set-up where just some traffic goes into the tunnel? I did that with OpenVPN on Linux a while ago. Was a bit tricky and required policy-based routing because of DNS.

But if so, I gather the tunnel gets established fine, but routing of DNS-packets does no work as it should?

Re:

[Anonymous Coward]

Yes, please use Android.

Whoops: https://code.google.com/p/andr... [google.com]

Re:

[Anonymous Coward]

BlackBerry wins again. Boom

Re:

[macs4all]

Yes, please use Android.

Whoops: https://code.google.com/p/andr... [google.com]

Hahahahahahaha!!!!!! That's GREAT!!!!

Re:

[MobileTatsu-NJG]

Why is this modded down? You guys normally love pointing out when Apple copies Android!

Re:Of course Apple wants into enterprise though?

[Ayanami_R]

They have a LOT to do. We have had to switch our clients over to a chip and pin AD login from a regular local account. There is no easy way to do this, We can't apply the new security to the old accounts directly, or so I am told, so we have had to make another account and then "port" the old account data into the new one. Time machine broken, because it is protected by UID, no matching UID no backup, period. Keychain wonkiness, everything you know can go wrong with a keychain, has. Dropbox broken, easily fixed, but still... The best part, when 10.11 comes out no one can update because it will break al the chip and pin stuff and users won't be able to login. We have had to send 2 FAQ's on dealing with the asininity of all of this, and we are still stumbling across issues. One of my co-workers is tasked with something to do with programmers and root, that does not like these new accounts. No, I am not helping with that crap. BTW, when this happened with windows, they just pushed a package that did all the wizardry, which was simply installing a card reader driver, and a script that made sure that if there was a matching local account UID that it inherited that account.

That brings me to the next issue, patch management, or rather the lack of it. When 10.11 comes out we have to hope everyone listens, because otherwise we're playing fun account movement games after downgrading them back to 10.10. users cannot install printers now, we have people bringing their printers in to work, so that we can install them. We have to patch everyone manually as there is no way to manage them with what we have.

IT has been an absolute mess, and the boss, who is normally ok with letting a small thing slide without a ticket, is demanding that every interaction related to this, even 15 seconds, have a ticket so that he can show the massive time costs of this nonsense.

Re:

[Junta]

The original argument was saying enterprise was great because a single person represents 10,000 instead of those same 10,000 being represented by 10,000 people. The counter argument is that Apple excels precisely at getting consumers to decide on their platform in an individual fashion, so they have no reason to be attracted to such a prospect.

Re:

[Junta]

Therein lies the crux of the problem for Apple. The way in is basically to do a lot more work enabling concepts like group policies and also 'lighten up licenses' so that effectively people can get use of their work for less money. There isn't an obvious way forward for Apple.

They can hope that players will upend the industry for them in a way that aligns to their sensibilities, but bending their sensibilities to try to capture the way IT works as-is would be a losing proposition.

Re:

[Junta]

They did want to be in the enterprise and hence the XServe being created. They realized they just weren't aligned with the industry and the prospects were grim for return on investment for trying to change that. So they stopped doing things that required them to spend money when the returns may likely never happen.

However when Cisco and IBM want to fall all over themselves to 'partner' with Apple, Apple will take the free endorsement. Note that both the Cisco and IBM deals cost Apple approximately nothin

Source control?

[mccalli]

What bothers me most about things like this is trying to relate it back to what is supposed to have changed in the latest versions. I can't think of anything in iOS 9 that should have touched code like this, which makes me wonder about the state of source control.

Happy to be wrong, but Apple have had a few regression-type bugs before which again make me think their branching/merging strategies may not quite be up to snuff. Would like to be wrong though - anyone know of a changed area in iOS 9 that would have necessitated playing with something like this?

Re:

[Minwee]

I am serious. And don't call me Shirley.

Re: Source control?

[Ravaldy]

Please send your resume to me. We need a few d*ck heads that lack the ability to be constructive in their comments.

Re:Source control?

[fuzzyfuzzyfungus]

Even if they had good reason to poke at this, or rewrite it from the ground up(because discoveryd was totally cooler and better than old-and-busted mdnsresponder, so why stop there?) what possible excuse is there for "This update breaks VPNs" to not be treated as an absolute showstopper? That's the sort of attitude that just doesn't cut it outside the realm of pitiful consumer crap.

Re:Source control?

[CastrTroy]

what possible excuse is there for "This update breaks VPNs" to not be treated as an absolute showstopper

This is what happens when you try to make a software update part of a hardware roll-out. They have hardware that they want to ship at a specific date, but haven't had any chance to get the software tested out in a while. They basically had to release iOS 9 even though they knew there was bugs because it was necessary for the new iPad and iPhone models.

Re:

[Carewolf]

what possible excuse is there for "This update breaks VPNs" to not be treated as an absolute showstopper

This is what happens when you try to make a software update part of a hardware roll-out. They have hardware that they want to ship at a specific date, but haven't had any chance to get the software tested out in a while. They basically had to release iOS 9 even though they knew there was bugs because it was necessary for the new iPad and iPhone models.

You mean for publicity? I am sure iOS8 works fine on the new devices. The problem is that they promise a new version every year, and not releasing one would look bad.

Re:

[thegarbz]

The problem is that they promise a new version every year, and not releasing one would look bad.

So just change the 8 to a 9 and make a subtle graphic change and call it a day. I mean Chrome goes through something like 20 versions a month and doesn't seem to have changed in the past few years.

Re:

[swb]

It works fine, but without any of the support for the new hardware features or the new OS features that are supposed to work with the new hardware features.

AFAICT, the new hardware basically requires a pretty significant OS revision. To be sure, a lot of the changes (like the "task manager" view which now shows a less convenient overlapping page view of existing open apps) seem purely for cosmetics.

Re: Source control?

[slick7]

More like corporate source control. As ubiquitous as mobile devices are, it no longer a given that people will "play nice". To protect the corporate data infrastructure, All mobile devices must have certain limitations, except of course, for those special people, that can make things disappear real quickly.

Re:

[Waccoon]

When iOS 8 was released, people noticed straight away that images couldn't be uploaded to web sites. As in, multipart-encoded image data included in a web form was just stripped away.

My reaction was, "How could such a show-stopping lack of QA be allowed to happen at all, let alone WHY it happened?"

The reaction from many of my peers on DeviantArt and other art-related web sites, upon realizing the couldn't upload their art, was, "Oh, I'm sure it'll be fixed soon. No big deal."

Re:

[Ravaldy]

Maybe the integration of a security patch or more important features that caused this. After all, they knew about the issue at launch so there's most probably a reasonable reason for the bug. In addition is appears only specific network configurations will cause the issue to occur.

Because I lack large dev team branching/merging experience, it's hard for me to understand where they could have gone wrong. To me having a branch that makes things work doesn't reverse the fact that another feature may be more im

Re: Source control?

[ModernGeek]

They added support for different types of VPNs.

Re:

[Moridineas]

Is this a serious comment? Why would you assume they _wouldn't_ make any changes to a given subsystem?

Re:

[Bogtha]

I can't think of anything in iOS 9 that should have touched code like this, which makes me wonder about the state of source control.

Why? Source control doesn't prevent regressions. Besides, they've clearly been working in this area for iOS 9, see the new network extension points for example.

Apple have had a few regression-type bugs before which again make me think their branching/merging strategies may not quite be up to snuff.

This doesn't even seem remotely related to branching/merging. To be

Android Too

[Anonymous Coward]

Makes you wonder why:

1. Cell manufacturers are moving to devices that cannot be truly turned off by removing the battery.
2. Android after 4.4 broke persistent VPN support.
3. Now iOS 9 breaks VPN support.

Coincidence? Who might prefer to have a citizenry carrying locator beacons that cannot be turned off and where encrypting all data communication has been disabled?

Re:

[drinkypoo]

Coincidence? Who might prefer to have a citizenry carrying locator beacons that cannot be turned off and where encrypting all data communication has been disabled?

You can get cell position via DtoA and your actual calls have been broken open for a long time now, so this is not about that. This is about your data, not about your location.

Re:

[mrchaotica]

I'm pretty paranoid, but even I've given up caring about non-removable batteries. If you're that worried, carry an anti-static bag (or other Faraday cage) around with you.

Re:

[thegarbz]

Never attribute to malice what can be attributed to corporate douche-bags pushing untested software out the door with a promise to fix it with the first few patches.

Re:

[gweihir]

Makes you wonder why:

1. Cell manufacturers are moving to devices that cannot be truly turned off by removing the battery.

Aehm, no battery - no power? How is that different from being "turned off"?

Re:

[gweihir]

All phones can be truly turned off by removing the battery and all batteries in phones can be removed. The question is how much damage that does.

Impossible

[Anonymous Coward]

Everyone knows that Macs just work, more Micro$oft FUD.

Split Tunneling?

[mveloso]

Problem is DNS during split tunneling, which isn't the same as "breaks VPN."

I guess the editors are either click-baiting, are technically illiterate, or both.

Re:

[CimmerianX]

Problem is, while people like us understand what's going on here, the other 95% of the population only see's that their facebook isn't loading. To them, it broke VPN.

I'm sure of those 95%, 99% have no idea what DNS is

Re:

[Anonymous Coward]

Apple's DNS implementations in general are a bit nonstandard and broken and are a huge headache for administrators. That's the real story that should be here.

Why and how? (and please try to resist the temptation to work the words: walled, garden and hipster into the reply)

Re:

[drkstr1]

Well from personal experience at least, we always have to use an IP address when testing our web app on a local build server. The android tablets let us use the internal domain name, out of the box.

Re: Split Tunneling?

[Graymalkin]

Slashdot: Technically illiterate clickbait. Formerly "News for Nerds, Stuff that Matters".

Re:

[gweihir]

To be fair, this topic is a bit advanced.

No such problems here

[diamondsw]

Didn't see any problems with VPNs during the betas, nor with final release. This is with connections to Junos Pulse, StrongSwan/xl2tpd, and racoon VPNs.

Maybe the reason it wasn't "fixed" is it isn't an issue in the first place.

Hint

[0123456]

Don't install .0 versions of operating systems on production systems. At least, not until they've been tested and shown to work.

A little more sense

[Anonymous Coward]

Workaround is to reinstall that VPN software on your iOS device.

Downgrade?

[Anonymous Coward]

You can't downgrade if you didn't have a backup already.

IOS 9 broke other things as well. IOS 9 won't connect to hidden SSID WIFI networks either. I can verify this issue. There are some other grumblings of WPA / WPA2 connection issues for some as well.

Even some popular apps, like Words with Friends in my case don't work in IOS9.

Re:

[konohitowa]

My only connection at home is a hidden SSID network and it's working fine. Are you saying you can't connect to unknown hiddens? If so, sounds like the XP version of WiFi. That would bite.

Killing WwF, opening each game, not touching any tiles, going back to the home screen, then reopening the game seems to help. But yeah, it locks really easily. I'm surprised they didn't have an update ready. Then again, the app has always been a POS - at least on iOS.

Re:

[konohitowa]

Well, that bites. I wish I had some suggestion for you. Mine is working just fine after the update. Like I said, it was an existing connection - not one I tried to add after the update - but it would seem that it shouldn't work at all given your description.

Re:

[Anonymous Coward]

The problem is that Apple is still used to having momentum by taking a market, then making money on an annual basis by incremental upgrades.

Since Jobs left, things just seem different. Simple things like being able to reliably sync an iPhone via a connector have been broken since iOS 5 [1].

Each iteration of OS X was supposed to be "faster" than the one before it, and there were a lot of leaps and bounds in background improvements. El Capitan has some decent improvements (especially in the security departm

Re:

[Anonymous Coward]

Just to be a pedantic dickweed, SSDs are not rated by RPM, that is hard-drives. An SSD revolving at 7200 RPM would likely fail, probably in a violent fashion. However, I will not be testing this, as I am loath to damage my tools, and am rather lacking in spare SSDs.

That being said, I agree entirely with the spirit of your post.

Re:

[guruevi]

HFS has been upgraded to improve. On-the-fly compression, built-in backup/versioning and whole-disk-encryption being some of the more visible things lately. Antivirus has been built-in to OS X since I think 10.5 and two-factor authentication has also been possible since I think 10.3.

As far as repairs, the 'hard drive' is still replaceable but it's not a SATA thing it's a PCI card and there are several aftermarket options.

Re:

[fluffernutter]

When you have total hardware lockdown and one installable application per every fifty on windows in the market I would hope it would work. Sad that it doesn't.

In most cases when windows doesn't work it isn't windows that is to blame, it is a bad developer or bad/cheap hardware or drivers.

Great

[allquixotic]

Switched from Android to iOS because Google won't fix their Bluetooth stack. I'll have to try my VPN on Friday and see if iOS 9 broke it. If so, I'll have to have two phones just so I can use two of the most important OS features that have been around for years but nobody can seem to get right (all at once, within one device, that is).

I thought you couldn't downgrade iOS

[jonwil]

I thought Apple made it so you couldn't downgrade iOS (as a way to stop people from downgrading to a version that can be jailbroken)

No issues with iOS 9 and OpenVPN

[reemul]

It hasn't caused any problems with my OpenVPN based service. So sad that the corporate guys' software isn't working as well.

Been using IPsec VPNs without any problem

[ruir]

Both VPNs to work and to commercial VPNs seem to be working fine both in OS/X beta, and the production one. The only long time complaint I have it to be mandatory to install policies to have connect on demand/always on functionalities.

ExpressVPN broken too.

[Rick in China]

Post-iOS9 install I noticed ExpressVPN doesn't work at all either. At least I only need it for youtube/gmail ish, poor business-users, f'd. This is a pretty serious bug, quite shocked that it was known and let pass into retail release......indicator of slip in quality perhaps? Kinda like macbook 12" forcing users to a single usb-c port, in other words, forcing users into buying an adapter, far before C becomes standard? What's going on here.

iOS9 phones cant use itunes 11.5.5 or WinXP

[Winkkin]

For anyone still using WindowsXP with iTunes 11.5.5 and an iPhone with iOS 8.4. If you upgrade your phone to iOS 8.4.1 which came out last week, they do not tell you that you also must up grade to iTunes 12.1. Unfortunately, iTunes 12.1 is not supported on WindowsXP.