That iPhone WiFi crash bug is far worse than initially thought
An innocuous iPhone bug that could crash the WiFi service has turned out to be far worse than initially thought after mobile security firm ZecOps showed on Friday how the bug could be abused for remote code execution attacks.
Discovered last month by Danish security researcher Carl Schou, the bug could crash any up-to-date iPhone that connected to an access point or WiFi network with a name of %p%s%s%s%s%n.
After joining my personal WiFi with the SSID “%p%s%s%s%s%n”, my iPhone permanently disabled it’s WiFi functionality. Neither rebooting nor changing SSID fixes it :~) pic.twitter.com/2eue90JFu3
— Carl Schou (@vm_call) June 18, 2021
Since WiFi network names are written on disk in certain files, every time the iPhone tried to connect to a WiFi network, iOS would read those files and crash and reboot in a loop.
Initially, the bug was considered a pretty big deal before iOS experts discovered that disabling WiFi and resetting iOS network settings would clear those local files of the problematic network name and allow users to use their WiFi feature again.
Settings > General > Reset > Reset Network Settings
At the heart of the problem was the "%" character in the WiFi network name, which in Objective-C —the main programming language of iOS— is also used to declare variable names or commands.
In new research published on Friday, security firm ZecOps said that they found a new string pattern that, when added to WiFi network names, could have far worse consequences than just crashing an iPhone's WiFi service.
By adding "%@" to a network name, ZecOps said that a malicious threat actor could abuse the crash-pattern loop in the WiFi service to execute custom code in what could be described as a use-after-free vulnerability.
Since iOS automatically connects users to the closest WiFi network, ZecOps said the bug could be exploited in zero-click scenarios just by creating a malicious WiFi network name and then waiting for nearby users to connect to it when close enough.
WiFiDemon RCE already fixed in current iOS version
ZecOps said that while the original crash bug discovered last month impacted all iOS 14.x versions, the remote code execution (RCE) variant they found last week only worked for iPhones and iPads running iOS versions from 14.0 and up to 14.4.
The San Francisco-based security firm said the bug was mysteriously patched in January 2021 with the release of iOS 14.4 but without much fanfare from the Apple security team.
As a result of their findings, ZecOps is now advising iPhone and iPad users to update their devices to the latest iOS version in order to prevent threat actors from exploiting this issue —which they nicknamed WiFiDemon— to run malicious code on out-of-date devices.
Older iOS releases prior to iOS 14.x are not vulnerable to WiFiDemon RCE or crash attacks, researchers said.
i'm not exactly surprised that a format string vulnerability was exploitable, but still
— saleem (@saleemrash1d) July 17, 2021
Catalin Cimpanu
is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.