A bug in the way iOS handles Wi-Fi hotspot names is apparently worse than first thought, with one malformed SSID found to disable Wi-Fi access on an iPhone completely, requiring a factory reset to rectify it.
In June, security researcher Carl Schou discovered a personal Wi-Fi hotspot name of "%p%s%s%s%s%n" causes problems for iOS devices. It was found that iPhones simply couldn't connect to the hotspot, and in fact disabled Wi-Fi connectivity in some instances.
While that issue could be fixed by reseting the network settings within iOS, Schou has since discovered a variant along the same lines that can cause more harm to an unsuspecting iPhone. According to Schou in a tweet on Sunday, using the SSID "%secretclub%power" can disable an iOS device's Wi-Fi capabilities, with no guarantee that a network settings reset will restore connectivity.
You can permanently disable any iOS device's WiFI by hosting a public WiFi named %secretclub%power
— Carl Schou (@vm_call) July 4, 2021
Resetting network settings is not guaranteed to restore functionality.#infosec #0day
Schou claims the iPhone used to test still didn't have Wi-Fi after repeated resets of network settings and a forced restart of the iPhone. The researcher has also contacted Apple's device security team over the matter, but has yet to hear anything back.
The original bug was believed to be an issue with input parsing, where the percentage sign could be misinterpreted by iOS as a string-format specifier, namely that characters following the symbol could be considered a variable or a command instead of plain text.
While the new SSID does jokingly promote Secret Club, a technology exploration group Schou is involved with, the use of the percentage signs followed by the characters S and P are most likely the problem areas for the hotspot name bug. Analysis of the issue confirms a format string bug is behind it, though it doesn't seem to be a highly exploitable vulnerability for a bad actor.
It is highly likely that there are many more combinations of text strings that could cause problems within iOS in this manner, but only until the bug is patched out by Apple. While the company is beta-testing iOS 14.7 and iOS 15, it is unclear if the issue will be fixed in those releases by the company.
For the moment, AppleInsider recommends users don't connect to unfamiliar Wi-Fi access points, especially if they include unusual symbols.
Keep up with everything Apple in the weekly AppleInsider Podcast — and get a fast news update from AppleInsider Daily. Just say, "Hey, Siri," to your HomePod mini and ask for these podcasts, and our latest HomeKit Insider episode too. If you want an ad-free main AppleInsider Podcast experience, you can support the AppleInsider podcast by subscribing for $5 per month through Apple's Podcasts app, or via Patreon if you prefer any other podcast player.
12 Comments
Well this is one I'm not going to test.
I have found if my PW has similar characters, it creates an issue with Wi-Fi not working correctly on an iPod touch.
Even a factory reset has not solved the issue.
PW has also been changed.
Why would a router name ever be handled as anything other than a plain text string? Why is it even possible for that string to be read as some kind of format/type specifier?
Databases usually have “illegal” characters stripped, and it has, in my past experience, been extremely irritating to see which characters certain databases dislike (inconsistently), because of how it limits the human usage of said databases. There are still systems on the internet that refuse to accept modern password strength requirements (government and corporate), forcing a maximum of 8 characters for password and/or user ID. What outdated software are they running??
We generally find protection against storing illegal characters, such as in file & volume name dialogs. That same process isn’t used to limit WiFi IDs? Is there not a formalized definition for a WiFi ID’s allowable characters?
Why, in modern computing, is it still possible to break things via “unexpected” characters?