Tag Archive for: String

It’s 2021 and a printf format string in a wireless network’s name can break iPhone Wi-Fi • The Register

/in


Joining a Wi-Fi network with a specific sequence of characters in its SSID name will break wireless connectivity for iOS devices. Thankfully the bug looks to be little more than an embarrassment and inconvenience.

On Friday, Carl Schou, a security researcher in Denmark, reported that his iPhone lost its Wi-Fi capability after attempting to connect to a Wi-Fi network named “%p%s%s%s%s%n”.

The offending name is made up of good old C language printf()-style string format specifiers. On iOS, they are handled by Apple’s open source CFString framework, available to those writing Objective-C or Swift applications. CF stands for Core Foundation; CFString is a C API in macOS and iOS.

Security researcher Alex Skalozub told The Register that the disruptive series of characters can be shorter still. The string “%s%s%s” is sufficient to trigger the bug, he said, noting that it appears to be the third “%s” that takes down the Wi-Fi connection.

The “%s” tells the software to use a referenced string, which likely doesn’t actually exist, causing the code to crash. Indeed, it appears to cause a strlen() function call to trigger a memory access fault. Apple’s software should not be directly obeying these user-provided format strings as it’s a classic security vulnerability.

“Yesterday I showed how [an Access Point] named “%Free %Coffee at %Starbucks” does the same thing,” he said.

Fortunately, the damage appears not to be permanent. Apple iOS devices that lose Wi-Fi capability after being bitten by this bug can be restored via the General -> Reset -> Reset Network Settings menu option, which reverts network settings to their factory default.

Security flaw? Technically possible but…

Amichai Shulman, co-founder and CTO of enterprise network security firm AirEye, contends the bug could lead to remote code execution.

“While it is easy to use the…

Source…

Security consultant hired by Foreign Office linked to string of hacking complaints

/in


A British private investigator and security consultant whose company has just completed a four-year contract to protect the UK’s embassy in Tel Aviv is linked to a string of telecommunications hacking complaints dating back more than 20 years, according to high court judgments.



a car stopped at a traffic light on a city street: Photograph: Michael Jacobs/Alamy

© Provided by The Guardian
Photograph: Michael Jacobs/Alamy

A court judgment that touches on the career history of Stuart Page – the 69-year-old founder of the private security and intelligence firm Page Group – noted last May that the businessman “operates in a world of covert surveillance in which agents acquire confidential information unlawfully”.

The judgment explores how Page, who was appearing in the case as a witness, was linked to hacking allegations stretching back to 1998, where the businessman is said to have received stolen materials and passed them to clients. The judge concluded that the allegations did not establish that Page had ever carried out or authorised hacking himself.

Page Group’s alleged role in passing illegally obtained materials to clients raises questions about the use of stolen personal information within UK civil court proceedings, as well as the company being awarded a £1m Foreign, Commonwealth and Development Office (FCDO) contract to protect one of the UK’s most sensitive embassies – a deal that concluded in December after almost four years.



a car stopped at a traffic light on a city street: The Embassy of the United Kingdom in Tel Aviv, Israel

© Photograph: Michael Jacobs/Alamy
The Embassy of the United Kingdom in Tel Aviv, Israel

The FCDO’s Supply Partner Code of Conduct states: “Supply partners and their delivery chain partners must declare to FCDO where there may be instances or allegations of previous unethical behaviour by an existing or potential staff member or where there is a known or suspected conflict of interest.”

Neither Page Group nor the FCDO would say if the company had highlighted the historical allegations to the government.

Video: Full statement (Birmingham Mail)

UP NEXT

UP NEXT

Lawyers for Page, whose companies have also worked guarding EU diplomats and on intelligence engagements for Middle Eastern rulers, told the Guardian: “No findings of hacking…

Source…

What Extreme’s string of networking acquisitions means for enterprises

/in

Extreme Network’s recent string of acquisitions – including it’s recent $ 100 million auction-buy of Avaya’s networking business, it’s purchase of Brocade’s Ethernet IP networking assets and its purchase of wireless vendor Zebra Technologies last year – should cause enterprise end users to potentially rethink their network infrastructure buying decisions when it comes time for their next hardware refresh, according to Forrester analyst Andre Kindness.

Kindness says in the immediate short term, there are not likely to be any major changes to offerings from these vendors; all current Avaya and Brocade networking gear will still be supported. But given Extreme’s acquisition spree, it’s expected there will be some consolidation and blending of products over the medium and long-term. “As with anything, it will take some time to reconcile the moves and figure out the new direction,” says Kindness.

To read this article in full or to leave a comment, please click here

Network World Security