FUD is spreading about a weirdly named personal network that a reverse engineer stumbled across and which he said “permanently” wrecked his iPhone’s Wi-Fi.
TL;DR version: The twitching inflicted on his iPhone, which he demonstrated in the 4-second Tweet below, wasn’t permanent. As replies to the initial post pointed out, an iPhone’s Wi-Fi can be restored by resetting network settings (Settings > General > Reset > Reset Network Settings).
It’s a painful action to take, given that it will wipe out all of a device’s Wi-Fi passwords, but it’s a lot better than the prospect of an iPhone’s Wi-Fi having been “permanently” barbecued.
After joining my personal WiFi with the SSID “%p%s%s%s%s%n”, my iPhone permanently disabled it’s WiFi functionality. Neither rebooting nor changing SSID fixes it :~) pic.twitter.com/2eue90JFu3
— Carl Schou (@vm_call) June 18, 2021
Having said that, the glitch is triggered by a string format bug that will inspire threat actors to dig “deeper into the inner workings of Apple’s Wi-Fi stack” to find out “what, exactly, causes the behavior and how to exploit it,” predicted security expert Dirk Schrader, global vice president at New Net Technologies.
On Friday, the reverse engineer, Carl Schou, said that hsi clip shows his iPhone Wi-Fi stuttering – trying to connect, then disabling the device’s Wi-Fi – when he joined his personal Wi-Fi network, named with the SSID “%p%s%s%s%s%n”. “My iPhone permanently disabled it’s [sic] WiFi functionality,” Schou wrote. “Neither rebooting nor changing SSID fixes it :~)”
Looks Like a Format String Bug
BleepingComputer confirmed the bug by repeatedly trying to connect to a network with that strangely named SSID: The news outlet reported that in doing so, it encountered the same Wi-Fi malfunction as Schou found.
Security blog CodeColorist picked the flaw apart and deemed it a format string bug: A vulnerability that’s been around since 2000 but which is “rarely seen nowadays,” researchers said. In these bugs, operating systems can misread certain characters to be commands rather than simply a name: In this case, the “%”.
Malicious users could use the “%s” and “%x” format tokens, among others, to print data from the call stack or possibly other locations in memory. They could also exploit the bug by writing arbitrary data to arbitrary locations using the “%n” format token, which commands “printf()” and similar functions to write the number of bytes formatted to an address stored on the stack.
As Forbes reports, this format string bug is similar to an SMS flaw that caused widespread messaging problems on iPhones in November and on into December 2020.
One respondent to Schou’s post claimed that they’re in the habit of inserting the “%x” format specifiers in their Wi-Fi SSID to avoid causing “too much havoc” for unsuspecting Wi-Fi users who might try to connect. “Haha the %n is really pushing it,” the respondent wrote about Schou’s “%p%s%s%s%s%n” SSID.
Schou told BleepingComputer that he cooked up that name, strung with wonky little landmines of string specifiers, to mess with devices. That shouldn’t be too surprising, given that he’s the founder of http://secret.club: a blog about reverse engineering, hacking, and “breaking your software in every way imaginable.”
All my devices are named after format strings to f*** with poorly developed devices. —Carl Schou
Schou told Threatpost via email on Monday that he “expected it would break older WiFi-enabled devices, and possibly newer IoT devices.”
Common Bugs That Could Be Weaponized
NNT’s Schrader noted that format string bugs are very common: “In fact they are a major issue in web application development, and string handling is one of the first lessons any developer learns,” he told Threatpost.
Schrader explained that they can be weaponized because “A system unable to process a given string correctly ends up in an undefined state,” The result of this kind of state can be benign, forcing a reset of the app, but at other times, these bugs can shoot to the opposite of benign, ending up in “high severity 0day vulnerabilities exploited by APTs,” he said. “That is also why this effect will certainly be scrutinized in detail by APTs and cyber-criminals gangs.
This One’s ‘Not Exploitable,’ But It Could Be
The CodeColorist said that this particular bug found by Schou doesn’t seem to be exploitable. “After all, to trigger this bug, you need to connect to that WiFi, where the SSID is visible to the victim,” the blog noted.
Schou agreed: He told Threatpost that this is “a funny exploit and embarrassing of Apple, but not exploitable.” He noted that to trigger the bug, you have to specifically connect to his maliciously named Wi-Fi, or one that’s similarly named.
On the other hand, a phishing Wi-Fi portal page that exploited this format string bug might prove to be more effective at exploiting it, according to the CodeColorist blog. It wouldn’t be the first time that a public hotspot was rigged: One of countless examples was when Magecart Group 5 was spotted testing and preparing code to be injected onto commercial routers, potentially opening up guests connecting to Wi-Fi networks to payment data theft.
A ‘Dumb-Case’ Scenario
That thought was echoed by NNT’s Schrader, who said that this type of bug could lead to “more real-life, serious issues,” such as a malicious actor boobytrapping a public Wi-Fi hotspot.
“At first, one might say that is not a worst-case scenario but rather a ‘dumb’ case scenario,” he observed to Threatpost via email on Monday. “Still, there is a notion in [that] this … can lead to more real-life, serious issues. Certainly, there will be those ‘whenever it’s free, I take it’ users that will connect to such a hotspot.”
Besides what one assumes is the unlikely prospect of unsuspecting hotspot seekers wandering onto Schou’s Wi-Fi-baffling personal network, and besides the prospect of having a string format bug like this used to set up a rigged public Wi-Fi spot, there’s also the possibility that malicious actors will “dig deeper into to find out about the inner workings of Apple’s WiFi stack and what exactly causes the behavior and how to exploit it,” Schrader noted.
Pending a fix from Apple users have to use their common sense, Schrader said, when it comes to taking Wi-Fi candy from strangers. “If it is free and looks phishy, it is phishy,” he said.
Hank Schless, senior manager of security solutions at Lookout, told Threatpost that it might be too early to tell whether Schou’s bug is exploitable. But, at least from a consumer perspective, “there isn’t any immediate reason to worry about this flaw,” he said in an email.
If we see any evidence of ways to exploit this flaw, that will change fast, he said, and Apple will have to release a patch. “Regardless of when that happens, it’s important to always keep your iPhone updated with the latest version of iOS, as most software updates these days focus on fixing security flaws,” Schless said.
Threatpost has contacted Apple for feedback.
062121 13:58 UPDATE: Added input from Carl Schou.
Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free.
