A researcher has found a way to disable the WiFi functionality on iPhones by getting them to join a WiFi hotspot with a weird name.
This shouldn’t be happening. The first thing you learn in coding school when it comes to input (which is literally any data a device has to do something with) is to validate it. Well, maybe not the first thing, but if you want to practice secure coding it is one of the most important things: Make sure that a hacker can not abuse your application by feeding it something it can’t digest. Like a WiFi network name.
It is not the first time by the way that iPhones can be compromised by using a format string vulnerability. And I’m afraid it will not be the last.
Let’s talk iPhone
iPhones are supposedly much more secure than Android devices, but as it turns out I can disconnect your secure iPhone from any WiFi by using a simple format string vulnerability. All I would have to do is make you connect to a specific WiFi hotspot.
The magical WiFi network name (SSID) for fritzing your phone is %p%s%s%s%s%n
but since the underlying issue is almost certainly the fact that
%
is interpreted as a string format specifier, you can bet there are more possibilities to be found.
String format specifiers
In programming you sometimes have to build words and sentences you want to show the user using some information you know in advance, and some you don’t. In C and C-style languages, string format specifiers are used. They have a special meaning and are processed as variables or commands by the printf
function.
A simple printf command might look like this:
printf("Malwarebytes %n rules", &c);
In this example %n
is a string format specifier that modifies the output. When the program prints the sentence “Malwarebytes %n rules” the
%n
will be replaced by the number of characters preceding it, so it will output:
Malwarebytes 13 rules
There are many other format specifiers that do different things. They look like a percentage sign followed by a single character that specifies the type of data, for example %
s will be replaced by a string of characters,
%d
by a number (a decimal integer), %p
by a pointer address and so on.
So you can see why an WiFi network called %p%s%s%s%s%n
might cause problems. Apple’s programmers should have ensured their code reads names like that as percent signs and letters, not as string format specifiers. It seems they didn’t.
Seriousness
I can hear you thinking, so what? I would never join a WiFi Hotspot with such a weird name. Well, maybe you wouldn’t, if you would notice that the name looks out of the ordinary. But anyone can spoof a well-known SSID and your device will happily connect to it again if it’s connected to an open SSID by that name before.
Other research has shown that the vulnerability is not only restricted to the iOS operating system, it can potentially affect the macOS operating system. The same research team found a way to construct the network name in a way that does not expose the user to the weird characters, making it look like a legitimate, existing network name.
It is not impossible that researchers will find a way to construct SSID names that can lead to remote code execution (RCE) attacks. But this will probably turn out to be too complicated since you would be limited by the maximum length of an SSID (32 characters), the limited functionality of the string format specifier, and the memory location of the format string. The format string is located on the heap which does not provide the attacker control of the pointers on stack. Which is not to say that this method could not be used in combination with other vulnerabilities.
Recovery from testing
If you couldn’t resist testing this and now you want your WiFi options back, here is how to do it. You will have to reset their iPhone network settings (Settings > General > Reset > Reset Network Settings), which will erase all your WiFi passwords. This is not a permanent fix for the issue. Any time your device is affected by the issue, you will have to reset it again.
And don’t go overboard with your testing. As this researcher has found out the reset does not work for every possible string.