Connecting to malicious Wi-Fi networks can mess with your iPhone
There’s a bug in iOS that turns off Wi-Fi connectivity when devices join a network that uses a trick name, a researcher revealed over the weekend.
By connecting to a Wi-Fi network that uses the SSID “% p% s% s% s% s% n” (quotes not included), iPhones and iPads lose the ability to join that network or any other network on the Internet. future, reverse engineer Carl Schou reported on Twitter.
After joining my personal WiFi with the SSID “% p% s% s% s% s% n”, my iPhone has permanently disabled its WiFi functionality. Neither restarting nor changing the SSID fixes it: ~) pic.twitter.com/2eue90JFu3
– Carl Schou (@vm_call) June 18, 2021
It didn’t take long for the trolls to capitalize on the discovery:
An absence of malice
Schou, who is the owner of the Secret Club hacking resource, initially saw no easy way to restore Wi-Fi capabilities. Eventually, he found that users could reset network functionality by opening Settings> General> Reset> Reset network settings.
Apple representatives did not respond to questions sent via email, including whether there are plans to fix the bug and whether it affects macOS or other Apple offerings.
Schou said in an internet post that the bug was caused by the internal logging feature of the iOS Wi-Fi daemon, which uses the SSID inside format expressions. The condition allows in some cases to inject unauthorized format strings into sensitive parts of the highly hardened Apple operating system. He and other security experts, however, said there was little chance the bug would be exploited maliciously.
“In my opinion, the actual threat is minimal as you are quite limited by the length of the SSID and the expression of the format itself,” he explained. “You could potentially turn that into an information disclosure in the recorder, but I don’t think it’s even remotely possible to get code execution.”
A quick scan of the bug by an external researcher confirmed that it is unlikely that the bug could be exploited to execute malicious code. The analysis also revealed that the bug appears to stem from a flaw in an iOS logging component that uses the concat function to efficiently convert the SSID string to a format string before writing it to the log file.
Since strings are not sent back to sensitive parts of iOS, it is unlikely that a hacker will successfully abuse the logging feature in a malicious way. On top of that, an exploit would require a person to actively join a network that contains a suspicious-looking name.
“For operability, it doesn’t echo and the rest of the parameters don’t seem controllable,” the researcher wrote. “So I don’t think this case is workable. After all, to trigger this bug, you need to connect to this WiFi, where the SSID is visible to the victim. A phishing Wi-Fi portal page might as well be more effective.
Not all researchers have reached the same assessment. Researchers at security firm AirEye, for example, said the technique could be used to bypass security devices at the edge of a network to prevent unauthorized data from entering or leaving.
“What we found is that while the latest flaw in the iPhone’s format chain is seen as seemingly benign, the implications of this vulnerability go far beyond any joke,” the researcher wrote. from AirEye, Amichai Shulman. “If you are responsible for the security of your organization, you should be aware of this vulnerability, as a related attack can affect company data while bypassing common security controls such as NAC, firewalls, and DLP solutions. ”
Shulman also said that macOS is affected by the same bug. Ars could not immediately verify this claim. Schou said he has not tested macOS, but others have reported that they are unable to reproduce the error on the operating system.
The real story
Schou told me that network outages don’t happen every time an iOS device connects to a malicious SSID. “It’s non-deterministic, and sometimes you’re lucky enough for the Wi-Fi daemon to crash without the SSID persisting,” he explained. The flaw has been around since at least iOS 14.4.2, which was released in March, and possibly years before that.
He said he discovered the bug when he connected an iPhone to one of his wireless routers. “All of my devices are named after various injection techniques to disrupt older devices that don’t disinfect entrances,” Schou said. “And apparently the latest iOS.”
The crash is caused by what researchers call an uncontrolled format string bug. The flaw occurs when corrupted user input is the format string parameter in some functions written in C and C style languages. Using format tokens such as% s and% x can in some cases print data in memory. The bug was initially considered harmless. More recently, researchers recognized the potential for malicious code to be written using the% n format token.
The most surprising thing about this bug is the fact that it exists at all. There is a wide range of programming guidelines to prevent these types of format string faults. The failure of what is arguably the world’s most secure consumer operating system to properly implement these techniques in 2021 is the real story here.
Please feel free to contact us for more detail about us, visiting our Contact page.