Joining a Wi-Fi network with a specific sequence of characters in its SSID name will break wireless connectivity for iOS devices. Thankfully the bug looks to be little more than an embarrassment and inconvenience.
On Friday, Carl Schou, a security researcher in Denmark, reported that his iPhone lost its Wi-Fi capability after attempting to connect to a Wi-Fi network named “%p%s%s%s%s%n”.
The offending name is made up of good old C language
printf()-style string format specifiers. On iOS, they are handled by Apple’s open source CFString framework, available to those writing Objective-C or Swift applications. CF stands for Core Foundation; CFString is a C API in macOS and iOS.
Security researcher Alex Skalozub told The Register that the disruptive series of characters can be shorter still. The string “%s%s%s” is sufficient to trigger the bug, he said, noting that it appears to be the third “%s” that takes down the Wi-Fi connection.
The “%s” tells the software to use a referenced string, which likely doesn’t actually exist, causing the code to crash. Indeed, it appears to cause a
strlen() function call to trigger a memory access fault. Apple’s software should not be directly obeying these user-provided format strings as it’s a classic security vulnerability.
“Yesterday I showed how [an Access Point] named “%Free %Coffee at %Starbucks” does the same thing,” he said.
Fortunately, the damage appears not to be permanent. Apple iOS devices that lose Wi-Fi capability after being bitten by this bug can be restored via the General -> Reset -> Reset Network Settings menu option, which reverts network settings to their factory default.
Security flaw? Technically possible but…
Amichai Shulman, co-founder and CTO of enterprise network security firm AirEye, contends the bug could lead to remote code execution.
“While it is easy to use the…