There is a bug in iOS that disables Wi-Fi connectivity when devices join a network that uses a booby trap name, a researcher revealed over the weekend.
By connecting to a Wi-Fi network that uses the SSID “%p%s%s%s%s%n” (not including quotes), iPhones and iPads lose the ability to join that network or other networks in the future, reverse-]engineer Carl Schou reported on Twitter†
After connecting to my personal WiFi with the SSID “%p%s%s%s%s%n”, my iPhone permanently disabled the WiFi functionality. Neither rebooting nor changing SSID solves it :~) pic.twitter.com/2eue90JFu3
— Carl Schou (@vm_call) June 18, 2021
It didn’t take long for trolls to take advantage of the finding:
An absence of malice
Schou, who owns the Secret Club hacking tool, initially saw no easy way to restore Wi-Fi capabilities. Finally, he discovered that users could reset network functionality by opening Settings > General > Reset > Reset Network Settings.
Apple representatives did not respond to email inquiries, including whether there were plans to fix the bug or whether it would affect macOS or other Apple offerings.
Schou said in an internet post that the bug is caused by the internal logging functionality in the iOS Wi-Fi daemon, which uses the SSID in format expressions. The condition, in some cases, allows unauthorized format strings to be injected into sensitive areas of the highly enhanced Apple OS. However, he and other security experts said there was little chance of the bug being maliciously exploited.
“In my opinion the threat in the real world is minimal as you are quite limited by the length of the SSID and the format expression itself,” he explained. “You could potentially turn this into an information feed in the logger, but I don’t think it’s even remotely possible to get code execution.”
A quick analysis of the bug by a third-party researcher indicated that it is unlikely that the bug could be exploited to execute malicious code. The analysis also found that the bug appears to stem from a bug in an iOS logging component that uses the concat function to effectively convert the SSID string to a format string before writing it to the log file.
Because the strings are not repeated to sensitive areas of iOS, it is unlikely that a hacker will be able to maliciously abuse the logging function. In addition, an exploit requires a person to become an active member of a network that contains a suspicious-looking name.
“For exploitability, it doesn’t echo and the rest of the parameters seem uncontrollable,” the researcher wrote. “So I don’t think this case can be abused. After all, to activate this bug, you need to connect to that WiFi, where the SSID is visible to the victim. A phishing WiFi portal page might as well be more effective.”
But…
Not all researchers came to the same assessment. For example, researchers at security firm AirEye said the technique could be used to bypass security devices located at the edge of a network to prevent unauthorized data from entering or exiting.
“What we found was that while the latest iPhone Format String flaw is considered seemingly harmless, the implications of this vulnerability go far beyond any joke,” wrote AirEye researcher Amichai Shulman. “If you are responsible for the security of your organization, you should be aware of this vulnerability, as a related attack could compromise corporate data while bypassing common security controls such as NAC, firewalls and DLP solutions.”
Shulman also said macOS is affected by the same bug. Ars could not immediately verify this claim. Schou said he hasn’t tested macOS, but others have reported being unable to reproduce the error on the operating system.
the real story
Schou told me that network crashes don’t happen every time an iOS device connects to a malicious SSID. “It’s non-deterministic, and sometimes you’re lucky enough to have the Wi-Fi daemon crash without persisting the SSID,” he explained. The bug has been around since iOS 14.4.2, which was released in March, and possibly years before that.
He said he discovered the bug when he connected an iPhone to one of his wireless routers. “All my devices are named after different injection techniques to mess with old devices that don’t purify the input,” Schou said. “And apparently the latest iOS.”
The crash is caused by what researchers call an unchecked string bug. The error occurs when corrupted user input is the string parameter in certain functions written in C and C style languages. Using format tokens such as %s and %x can print data to memory in some cases. The bug was initially considered harmless. More recently, researchers have seen the possibility of writing malicious code using the token in %n format.
The most surprising thing about this bug is the fact that it exists at all. There is a wide range of programming guidelines to avoid these types of format string errors. The failure of what is arguably the world’s most secure consumer operating system to adequately implement these techniques by 2021 is the real story here.