By | Mohd Alif Erfan Bin Mohd Efendi, Ahmad Azizul Iqram Bin Musa
Introduction
The Internet has become a necessity in today’s modern life. People connect to the Internet either through mobile data or Wi-Fi. However, when we are running low on mobile data, we tend to connect our device to any free and open Wi-Fi networks.
To avoid becoming the next hacking victim, it is not recommended to connect your devices to unknown open Wi-Fi networks. When you already have access to open Wi-Fi, you are at risk. For example, hackers can distribute malicious scripts into your device and wreak havoc.
There is also another risk related to Wi- Fi connectivity. Based on recent findings, connecting to an unknown network through an iPhone can result in denial of service for the device.
Background
A newly discovered iPhone bug was found by Carl Shou on Friday, 19th June 2021. On his Twitter account, he posted a video about his phone not being able to connect to the Wi- Fi after he tried connecting it to his personal hotspot named “%p%s%s%s%s%n”.
Apparently, the Wi-Fi on his iPhone was disabled and unable to connect at all for unknown reasons. Carl Shou stated that the issue happened on his iPhone XS running on iOS 14.42. According to the video, his iPhone's Wi-Fi features stuttered, trying to connect to other networks and then it disables the device's Wi-Fi. Shou tried to fix it by changing the SSID and restarting his device, but both options did not resolve the issue. [1]
Bleeping Computer, a website for technology-related news also tested the newly found bug on iPhones that uses the latest iOS version - iOS 14.6, and the same issue occurred. The Wi-Fi feature cannot be used after trying to connect to a strangely named SSID on the Wi-Fi network.
Cause of Issues
Security researchers that saw Schou’s tweet believed that the bug occurred because of an input parsing issue, likely a string format vulnerability. When a string with ‘%’ symbols exist in Wi-Fi hotspot names, iOS may be mistakenly interpreting the letters following the ‘%’ sign as string-format specifiers when they are not.
In C language, string format specifiers have a special meaning and are processed by the language compiler as a variable name or a command instead of plain text. For example, the ‘%s’ is specified for string format and ‘%d’ is specified for decimal in C language, which is often used with the printf and scanf function.
In this situation, the SSID has been named without any function before the ‘%’ sign which may have caused this type of bug to occur.
When asked why Schou named his Wi-Fi hotspot with a ‘unique’ name, he said:
“All my devices are named after format strings to f*** with poorly developed devices.”
Security Risks
The newly found bug has the potential to become a security risk as it could allow hackers to launch free Wi-Fi hotspots to the public allowing iPhone users to connect to them and cause their device this type of problem. The bug could not be replicated on Android devices, therefore this is specifically for iOS operating system only.
Some security experts believe that the ‘%’ character in the SSID confuses the operating system with programming commands or variables causing the operating system to be in an unusual state.
Jake Moore, cybersecurity specialist at ESET said:
“Although iOS is extremely intelligent, the ‘%’ character can trip up an operating system by confusing it into thinking it’s an altered command from another language. Luckily this bug isn’t permanent but with a devilish mind, malicious actors could exploit those who click on it and take advantage of their situation.”
New Net Technologies, Dirk Schrader stated that format string bugs are very common and also a major issue in web applications development. He also stated that string handling is one of the first lessons any developer learns before developing a system.
Schrader explained that this bug can be exploited because a system that is unable to process a given string correctly will end up in an undefined state. The outcome of this undefined state will mostly lead to resetting the application or the device.
Some experts disagree that the bug’s potential can be used as an exploit. China-based security researcher, Zhi Zhou wrote about this format string bug. He stated that he does not believe this bug is exploitable to achieve code execution because it requires users to connect to Wi-Fi hotspots to trigger the bug.
Following the statement by Zhi Zhou, Schrader refined his earlier statement and agreed with Zhi Zhou saying that this is “a funny exploits and embarrassing for Apple, but not exploitable.”
Hank Schless, senior manager of security solutions at Lookout, stated that it is still early to decide whether the bug found is exploitable or not. But from a consumer’s point of view, there is nothing to be worried about for the time being about this bug. Schless also reminded users to keep their iPhone updated as most software updates today focus on fixing security bugs.
How To Fix
As stated before, simply restarting the iPhone will not fix this issue. Luckily the bug is not permanent and can be fixed without having to reset the entire device.
The good news is that the fix to resolve this newly found bug does not require a lot of steps. One simply needs to reset the network settings on iPhone by going to Settings > General > Reset > Reset Network Settings. This will reset all the network settings back to default and restart the device. Once the device has restarted, the user can reconfigure the Wi-Fi settings again.
Conclusion
The bug in iPhone on SSID string format vulnerability can lead to Denial of Services (DoS) attack as it does not allow the user to use any Wi-Fi features after trying to connect to the SSID named “%p%s%s%s%s%n”. DoS prevents users from accessing certain features on the devices. In this situation, Wi-Fi services were disabled after connecting to the unique SSID.
It is recommended that iPhone users avoid connecting to random Wi-Fi hotspots especially those with the % character. In general, it is a best practice for all of us to avoid any unknown hotspots to ensure our device is secured. If possible, always use a VPN connection for optimum security.
For Wi-Fi providers, it is suggested to avoid using special symbols, specifically the character ‘%’ in the SSID to prevent any security incident towards Wi-Fi users using an iPhone.
In addition, newly found bugs will always have the probability to be exploited by hackers unless security patch update is available from the developer. It is advisable to always update your software with the latest security features to keep your device and software more secure.
