Connecting to malicious Wi-Fi networks can mess with your iPhone

Close-up photo of Wi-Fi settings on a smartphone.reader comments

36 with 27 posters participating

There’s a bug in iOS that disables Wi-Fi connectivity when devices join a network that uses a booby-trapped name, a researcher disclosed over the weekend.

By connecting to a Wi-Fi network that uses the SSID “%p%s%s%s%s%n” (quotation marks not included), iPhones and iPads lose the ability to join that network or any other networks going forward, reverse engineer Carl Schou reported on Twitter.

It didn’t take long for trolls to capitalize on the finding:

An absence of malice

Schou, who is the owner of hacking resource Secret Club, initially saw no easy way to restore Wi-Fi capabilities. Eventually, he found that users could reset network functionality by opening Settings > General > Reset > Reset Network Settings.

Apple representatives didn’t respond to emailed questions, including if there were plans to fix the bug and whether it affected macOS or other Apple offerings.

Schou said in an Internet message that the bug is caused by the internal logging functionality in the iOS Wi-Fi daemon, which uses the SSID inside of format expressions. The condition makes it possible in some cases for unauthorized format strings to be injected into sensitive parts of the highly fortified Apple OS. He and other security experts, however, said there was little chance of the bug being exploited maliciously.

quick analysis of the bug by an outside researcher agreed that it isn’t likely the bug could be exploited to execute malicious code. The analysis also found that the bug appears to stem from a flaw in an iOS logging component that uses the concat function to effectively convert the SSID string into a format string before writing it to the log file.

Because the strings aren’t echoed to sensitive parts of the iOS, a hacker is unlikely to succeed in abusing the logging feature maliciously. Besides that, an exploit would require a person to actively join a network that contains a suspicious-looking name.

“For the exploitability, it doesn’t echo and the rest of the parameters don’t seem to be controllable,” the researcher wrote. “Thus I don’t think this case is exploitable. After all, to trigger this bug, you need to connect to that WiFi, where the SSID is visible to the victim. A phishing Wi-Fi portal page might as well be more effective.”


Not all researchers reached the same assessment. Researchers from security firm AirEye, for instance, said that the technique could be used to bypass security appliances that sit at the perimeter of a network to block unauthorized data from entering or exiting.

“What we found was that although the latest iPhone Format String flaw is perceived as seemingly benign, the implications of this vulnerability stretch far and beyond any joking matter,” AirEye researcher Amichai Shulman wrote. “If you are responsible for the security of your organization, you should be aware of this vulnerability as a related attack can affect corporate data while bypassing common security controls such as NAC, firewalls and DLP solutions.”

uncontrolled format string bug. The flaw arises when corrupted user input is the format string parameter in certain functions written in C and C-style languages. Use of format tokens such as %s and %x can in some cases print data to memory. The bug was initially considered harmless. More recently, researchers have recognized the potential for writing malicious code using the %n format token.

The most surprising thing about this bug is the fact that it exists at all. A wide assortment of programming guidelines exists for preventing these types of format string flaws. The failure of what’s arguably the world’s most secure consumer OS to adequately implement these techniques in 2021 is the real story here.

Article Tags:
Article Categories: