SoylentNews

upstart [soylentnews.org] writes:

████ # This file was generated bot-o-matically! Edit at your own risk. ████

iPhone bug breaks WiFi when you join hotspot with unusual name [bleepingcomputer.com]:

​A new iPhone bug has come to light that breaks your iPhone's wireless functionality by merely connecting to a specific WiFi hotspot.

Once triggered, the bug would render your iPhone unable to establish a WiFi connection, even if it is rebooted or the WiFi hotspot is renamed.

A bug like this could be exploited by malicious actors planting rogue WiFi hotspots in popular areas to bork iPhone devices connecting to them.

This WiFi hotspot will bork your iPhone

This week, reverse engineer Carl Schou [twitter.com] ran into an issue when connecting to his personal WiFi hotspot named:

%p%s%s%s%s%n

On connecting to the hotspot, his iPhone's WiFi would be disabled, and every time he tried to enable it again, it would quickly turn off, even if he restarted the device or the hotspot name was changed:

"After joining my personal WiFi with the SSID '%p%s%s%s%s%n', my iPhone permanently disabled it’s WiFi functionality. Neither rebooting nor changing SSID fixes it :~)," tweeted [twitter.com] Schou.

Schou told BleepingComputer that his experiment worked successfully on an iPhone XS, running iOS version 14.4.2.

Tests conducted by BleepingComputer on an iPhone running iOS 14.6 confirm an iPhone's wireless functionality would break after connecting to the strangely named wireless network.

%p%s%s%s%s%n SSID available to join​​​​​​
Source: BleepingComputer

In multiple tests attempting to connect to this strange SSID, our Wi-Fi settings would begin to function erratically, but all led to the same behavior - the breaking of our iPhone's wireless connectivity.

In some tests, connecting to the SSID would fail, but we could no longer access our regular wireless network.

Other tests led to the behavior described by Schou, where the iPhones Wi-Fi setting would be disabled, and we could no longer enable it again, as shown below.

WiFi setting is broken after connecting to SSID
Source: BleepingComputer

The only way to fix our iPhone's broken Wi-Fi feature was to reset the device's iPhone network settings, which we describe how to do at the end of the article.

A bug like this is serious, considering malicious actors could plant rogue WiFi hotspots (needing no password) in popular areas to bork iPhone devices that connect to them.

According to users, the issue is unique to iPhones and does not appear to be reproducible on Android devices:

So I haven't done any homework on this bug / wouldn't even really know where to look but i'm guessing this is just an ios bug??
Old ass android had no issue connecting to and saving it both open and with wpa2. pic.twitter.com/ydegK7AR7x [t.co]

— MobCat (@MobCat99) June 19, 2021 [twitter.com]

Likely a string formatting vulnerability

Other security researchers who saw Schou's tweet and analyzed the crash report [chichou.me] believe that an input parsing issue likely causes this bug.

When a string with "%" signs exists in WiFi hotspot names, iOS may be mistakenly interpreting the letters following "%" as string-format specifiers when they are not.

In C and C-style languages, string format specifiers [wikipedia.org] have a special meaning and are processed by the language compiler as a variable name or a command rather than just text.

For example, the following printf command does not actually print the "%n" character but stores the number of characters (10) preceding %n into the variable "c."

The "%n" is merely a format specifier and not an actual text string. As such, the output of the following line will simply be "geeks for geeks," with no mention of "%n."

printf("geeks for %ngeeks ", &c); How the "%n" format specifier works in C (GeeksForGeeks [geeksforgeeks.org])

Some users have claimed [twitter.com] previously inserting the relatively innocuous [stackoverflow.com] "%x" format specifiers in their WiFi SSID to avoid causing major issues for unsuspecting WiFi users.

When asked what was his motivation to name his WiFi hotspot with the funky string specifiers, the reverse engineer said:

"All my devices are named after format strings to f*** with poorly developed devices," Schou told BleepingComputer.

How to rescue your iPhone from this WiFi bug?

Although restarting your iPhone won't fix the issue, this bug is not permanent and can be fixed without resetting your entire device.

Instead, you can follow these simple steps to reset your iOS network settings to resolve the issue:

1. Go to Settings on your iPhone, select General.
2. Under General select Reset.
3. You will now be at the Reset screen, where you can reset various features of iOS or the device itself.
   
   ​​​​​​​At this screen, select the 'Reset Network Settings' option and confirm you would like to continue when asked. Resetting network settings on an iPhone (Apple [apple.com])
4. The device will now restart and reset all of your network settings back to factory default. Once it has restarted, enter your passcode, and you can reconfigure your Wi-Fi settings again.

​​​​​​​BleepingComputer has reached out to Apple for comment before publishing, and we are awaiting their response.

Update 20th Jun 11:13 AM: Linked to a researcher's analysis of the crash report associated with this bug, published after we first released the story.

Original Submission