Connecting to malicious Wi-Fi networks can mess with your iPhone

Close-up photo of Wi-Fi settings on a smartphone.

There’s a bug in iOS that disables Wi-Fi connectivity when units be part of a community that makes use of a booby-trapped identify, a researcher disclosed over the weekend.

By connecting to a Wi-Fi community that makes use of the SSID “%ppercentspercentspercentspercentspercentn” (citation marks not included), iPhones and iPads lose the flexibility to affix that community or another networks going ahead, reverse engineer Carl Schou reported on Twitter.

It didn’t take lengthy for trolls to capitalize on the discovering:

An absence of malice

Schou, who’s the proprietor of hacking useful resource Secret Club, initially noticed no simple approach to restore Wi-Fi capabilities. Ultimately, he discovered that customers might reset community performance by opening Settings > Basic > Reset > Reset Community Settings.

Apple representatives didn’t reply to emailed questions, together with if there have been plans to repair the bug and whether or not it affected macOS or different Apple choices.

Schou mentioned in an Web message that the bug is brought on by the interior logging performance within the iOS Wi-Fi daemon, which makes use of the SSID inside format expressions. The situation makes it attainable in some circumstances for unauthorized format strings to be injected into delicate elements of the extremely fortified Apple OS. He and different safety consultants, nevertheless, mentioned there was little likelihood of the bug being exploited maliciously.

“For my part, the real-world menace is minimal as you might be fairly constrained by the size of the SSID and the format expression itself,” he defined. “You can doubtlessly flip this into an info disclosure within the logger, however I don’t suppose it’s even remotely attainable to get code execution.”

A quick analysis of the bug by an out of doors researcher agreed that it isn’t possible the bug might be exploited to execute malicious code. The evaluation additionally discovered that the bug seems to stem from a flaw in an iOS logging part that makes use of the concat function to successfully convert the SSID string right into a format string earlier than writing it to the log file.

As a result of the strings aren’t echoed to delicate elements of the iOS, a hacker is unlikely to reach abusing the logging function maliciously. Moreover that, an exploit would require an individual to actively be part of a community that comprises a suspicious-looking identify.

“For the exploitability, it doesn’t echo and the remainder of the parameters don’t appear to be controllable,” the researcher wrote. “Thus I don’t suppose this case is exploitable. In spite of everything, to set off this bug, that you must connect with that WiFi, the place the SSID is seen to the sufferer. A phishing Wi-Fi portal web page would possibly as effectively be more practical.”

However…

Not all researchers reached the identical evaluation. Researchers from safety agency AirEye, for example, said that the method might be used to bypass safety home equipment that sit on the perimeter of a community to dam unauthorized knowledge from getting into or exiting.

“What we discovered was that though the most recent iPhone Format String flaw is perceived as seemingly benign, the implications of this vulnerability stretch far and past any joking matter,” AirEye researcher Amichai Shulman wrote. “If you’re chargeable for the safety of your group, try to be conscious of this vulnerability as a associated assault can have an effect on company knowledge whereas bypassing widespread safety controls akin to NAC, firewalls and DLP options.”

Shulman additionally mentioned that macOS is affected by the identical bug. Ars couldn’t instantly confirm this declare. Schou mentioned he hasn’t examined macOS however that others have reported they had been unable to breed the error on the OS.

The true story

Schou advised me that the community crashes don’t occur each time an iOS machine connects to a malicious SSID. “It is nondeterministic, and generally you might be fortunate sufficient that the Wi-Fi daemon crashes with out it persisting the SSID,” he defined. The flaw has existed since at the very least iOS 14.four.2, which was launched in March, and presumably for years earlier than that.

He mentioned he found the bug when he related an iPhone to one among his wi-fi routers. “All of my units are named after varied injection strategies to mess with outdated units that don’t sanitize enter,” Schou mentioned. “And apparently, the most recent iOS.”

The crash is brought on by what researchers name a uncontrolled format string bug. The flaw arises when corrupted person enter is the format string parameter in sure capabilities written in C and C-style languages. Use of format tokens akin to %s and %x can in some circumstances print knowledge to reminiscence. The bug was initially thought-about innocent. Extra just lately, researchers have acknowledged the potential for writing malicious code utilizing the %n format token.

Probably the most shocking factor about this bug is the truth that it exists in any respect. A large assortment of programming pointers exists for stopping all these format string flaws. The failure of what’s arguably the world’s most safe client OS to adequately implement these strategies in 2021 is the true story right here.