But according to Zhi Zhou, a security engineer at Ant Financial Light-Year Security Labs, there is a wireless network naming bug affecting Apple's iOS which could effectively disable iPhone's ability to connect to Wi-Fi networks. The bug was first spotted by Carl Schou, who discovered that his iPhone's Wi-Fi functionality gets disabled on joining a Wi-Fi network with the name "%p%s%s%s%s%n" even after rebooting the phone.
Carl Schou noted that after joining the WiFi with the SSID “%p%s%s%s%s%n” his iPhone's WiFi functionality permanently got disabled and neither rebooting nor changing SSID could fix it.
Analysis of the SSID Format String Bug
The bug stems from the manner Apple's iOS parses the SSID input, which triggers a denial of service in the process; it concatenate the SSID to a format string and pass it to WFLog:message: method. With the destination as 3 so it was the second xref of CFStringCreateWithFormatAndArguments that triggered the denial of service.
It could have had some serious implications in an instance that bad actors exploit the issue to plant fraudulent Wi-Fi hotspots with the name to break a device's wireless networking features. But for the exploitability, the rest of the parameters doesn't quite seem likely to be controllable, thus making this case inexploitable.
After all, you'll need to connect to that WiFi to trigger this bug, where the SSID is visible to the victim and a phishing Wi-Fi portal page might be even more effective.
How to Mitigate the iPhone Wi-Fi naming bug?
If perhaps, you experimented with it and your iPhone has been affected by the bug, you would need to have the iOS network settings reset by going to Settings > General > Reset > Reset Network Settings and confirm.
Albeit, it rarely looks like a format string bug which is seen nowadays, but luckily, Android devices are not affected.
No comments