The iOS 9+ bug: Why do PEAP or TTLS users get locked out of Wi-Fi when their password is updated? Why and how does TLS authentication still work?
To update or not to update?
The unfortunate trade-off of the cool new features in any major software update are the unintended bugs that creep up. Even after going through rigorous testing and multiple QA cycles, some issues wind up being released in the production version. Apple’s iOS — the extremely popular operating system used by millions of people — is no different.
Here at SecureW2, where we help users connect to secure Wi-Fi all over the world, we’ve been seeing an interesting issue with Apple’s iOS 9.x version. Specifically, devices running iOS 9+ will not connect to an SSID after a password change. This issue affects both Pre-Shared keys and credential based authentication mechanisms, leaving many end users frustrated because they suddenly were unable to connect to the network that was previously working just fine.
Common InfoSec policies and best practices within organizations mandate users to update their passwords periodically. However, the software bug that affects iOS 9+ devices leaves users with devices that are unable to connect to Wi-Fi after passwords are updated.
Now this brings us to the ever present “to update or not to update” software dilemma: due to password change policies, if you don’t change your password within the specified period your device will be locked out. But now, because of the iOS 9 bug, you’ll get locked out even if you follow the policy and change your password!
Let’s take a closer look at what the user will experience step-by-step:
- User password is updated in the back-end on the Active Directory or any other directory service.
- User is prompted for a new password in the iOS native password dialog when trying to connect to the secure SSID.
- User enters the new password and even if it is entered correctly, the password prompt continues to be displayed.
- Subsequent attempts to enter the password also fails– thereby the device does not connect to the desired SSID.
This issue was noticed when PEAP or TTLS were used as the authentication method; it was widely discussed in multiple developer forums and was ultimately rectified in iOS 10. We’d like to note that when using TLS as the authentication method, authentication worked as expected.
Both iOS and macOS use Keychains to manage passwords, cryptographic keys and certificates etc. EAP-TTLS and EAP-PEAP both require only a server-side certificate to create a secure TLS tunnel to protect user credentials and authenticate the server. The user however has to enter a password in order to authenticate. The problem (of the password prompt continuing to be displayed even after entering the correct new password) was occurring in a specific keychain API that was being used for managing user passwords for Wi-Fi connectivity. Interestingly in contrast, authentication using EAP-TLS, which uses a client-side certificate along with the server certificate, works fine since a different set of APIs are used to manage certificates.
Unfortunately for iOS 9.x users, there are only a handful of options available when their devices run into this issue. They will need to re-run JoinNow MultiOS, which goes through the complete on-boarding process and create new credentials, which can be used to get network access, or upgrade to TLS.
Below are a few articles/reports regarding Wi-Fi connectivity issues reported on iOS 9.x operating system:
Further information on the technical data-points:
List of iOS devices that cannot upgrade to iOS 10 from iOS 9