iPhone bug breaks WiFi when you join hotspot with unusual name
Latest in cybersecurity.
A new iPhone bug has come to light that breaks your iPhone’s wireless functionality by merely connecting to a specific WiFi hotspot.
Once triggered, the bug would render your iPhone unable to establish a WiFi connection, even if it is rebooted or the WiFi hotspot is renamed.
A bug like this could be exploited by malicious actors planting rogue WiFi hotspots in popular areas to bork iPhone devices connecting to them.
This WiFi hotspot will bork your iPhone
This week, reverse engineer Carl Schou ran into an issue when connecting to his personal WiFi hotspot named:
On connecting to the hotspot, his iPhone’s WiFi would be disabled, and every time he tried to enable it again, it would quickly turn off, even if he restarted the device or the hotspot name was changed:
“After joining my personal WiFi with the SSID ’%p%s%s%s%s%n’, my iPhone permanently disabled it’s WiFi functionality. Neither rebooting nor changing SSID fixes it :~),” tweeted Schou.
Schou told BleepingComputer that his experiment worked successfully on an iPhone XS, running iOS version 14.4.2.
Tests conducted by BleepingComputer on an iPhone running iOS 14.6 confirm an iPhone’s wireless functionality would break after connecting to the strangely named wireless network.
In multiple tests attempting to connect to this strange SSID, our Wi-Fi settings would begin to function erratically, but all led to the same behavior – the breaking of our iPhone’s wireless connectivity.
In some tests, connecting to the SSID would fail, but we could no longer access our regular wireless network.
Other tests led to the behavior described by Schou, where the iPhones Wi-Fi setting would be disabled, and we could no longer enable it again, as shown below.
The only way to fix our iPhone’s broken Wi-Fi feature was to reset the device’s iPhone network settings, which we describe how to do at the end of the article.
A bug like this is serious, considering malicious actors could plant rogue WiFi hotspots (needing no password) in popular areas to bork iPhone devices that connect to them.
According to users, the issue is unique to iPhones and does not appear to be reproducible on Android devices:
Likely a string formatting vulnerability
Other security researchers who saw Schou’s tweet believe that an input parsing issue likely causes this bug.
When a string with “%” signs exists in WiFi hotspot names, iOS may be mistakenly interpreting the letters following “%” as string-format specifiers when they are not.
In C and C-style languages, string format specifiers have a special meaning and are processed by the language compiler as a variable name or a command rather than just text.
For example, the following printf command does not actually print the “%n” character but stores the number of characters (10) preceding %n into the variable “c.”
The “%n” is merely a format specifier and not an actual text string. As such, the output of the following line will simply be ”geeks for geeks,” with no mention of “%n.”
printf(“geeks for %ngeeks “, &c);
When asked what was his motivation to name his WiFi hotspot with the funky string specifiers, the reverse engineer said:
“All my devices are named after format strings to f*** with poorly developed devices,” Schou told BleepingComputer.
How to rescue your iPhone from this WiFi bug?
Although restarting your iPhone won’t fix the issue, this bug is not permanent and can be fixed without resetting your entire device.
Instead, you can follow these simple steps to reset your iOS network settings to resolve the issue:
- Go to Settings on your iPhone, select General.
- Under General select Reset.
- You will now be at the Reset screen, where you can reset various features of iOS or the device itself.
At this screen, select the ‘Reset Network Settings’ option and confirm you would like to continue when asked.
- The device will now restart and reset all of your network settings back to factory default. Once it has restarted, enter your passcode, and you can reconfigure your Wi-Fi settings again.
BleepingComputer has reached out to Apple for comment before publishing, and we are awaiting their response.
via BleepingComputer https://ift.tt/2fDDDRH
June 19, 2021 at 03:13PM