Merit Network
 Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives
Network Security
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical FW: [ISN] The other iPhone lie: VPN policy support

  • From: Howell, Paul
  • Date: Wed Sep 16 10:11:33 2009 

-----Original Message-----
From: isn-bounces@infosecnews.org [mailto:isn-bounces@infosecnews.org]
On Behalf Of InfoSec News
Sent: Wednesday, September 16, 2009 1:32 AM
To: isn@infosecnews.org
Subject: [ISN] The other iPhone lie: VPN policy support

http://www.infoworld.com/d/mobilize/other-iphone-lie-vpn-policy-support-
865

By Galen Gruman 
InfoWorld
September 15, 2009

It turns out that Apple's iPhone 3.1 OS fix of a serious security issue 
-- falsely reporting to Exchange servers that pre-3G S iPhones and iPod 
Touches had on-device encryption -- wasn't the first such policy 
falsehood that Apple has quietly fixed in an OS upgrade. It fixed a 
similar lie in its June iPhone OS 3.0 update. Before that update, the 
iPhone falsely reported its adherence to VPN policies, specifically 
those that confirm the device is not saving the VPN password (so users 
are forced to enter it manually). Until the iPhone 3.0 OS update, users 
could save VPN passwords on their Apple devices, yet the iPhone OS would

report to the VPN server that the passwords were not being saved.

The fact of the iPhones' false reporting of their adherence to Exchange 
and VPN policies has caused some organizations to revoke or suspend 
plans for iPhone support, several readers who did not want their names 
or agencies identified told InfoWorld. One reader at a large government 
agency describes the IT leader there as "being bitten by the change," 
after taking a risk to support the popular devices. "I guess we will all

have to start distrusting Apple," said another reader at a different 
agency.

Last week's iPhone OS 3.1 update began correctly reporting the on-device

encryption and VPN password-saving status when queried by Exchange and 
VPN policy servers, which made thousands of iPhones noncompliant with 
those policies and thus blocked from their networks. (Only the new 
iPhone 3G S has on-device encryption.) Apple's document on the iPhone OS

3.1 update's security changes neglected to mention this fix, catching 
users and IT administrators off-guard. Worse, it revealed that Apple's 
iconic devices have been unknowingly violating such policies for more 
than a year.

[...]

------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------


Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.