A couple of weeks ago, security researcher Carl Schou found a quirky iPhone bug where the device’s Wi-Fi could be disabled by connecting to a network with the SSID of “%p%s%s%s%s%n”. It’s safe to say that the chances of doing this by mistake were pretty low, and it was more interesting as a rare modern sighting of the age-old format-string bug.
But now Schou has discovered a related zero day bug that may both be easier to fall victim to, and harder to fix if you do.
- The best iPhone apps of 2021
- iPhone vs. Android: Which is better for you?
- Plus: iPhone 13 could finally get reverse wireless charging
“You can permanently disable any iOS device's WiFI by hosting a public WiFi named %secretclub%power,” Schou tweeted. “Resetting network settings is not guaranteed to restore functionality.”
Seriously, I still don’t have WiFi pic.twitter.com/AaF9IQBvCpJuly 4, 2021
It’s not clear if the bug requires you to connect to said mischievous network, or simply for the iPhone to scan it. If it’s the latter, that means that anybody could set up a hotspot with the iPhone-breaking name in a busy place, and enjoy the carnage.
Schou was initially nonplussed as to how to fix his device, tweeting that resetting the network and force-restarting the iPhone did nothing. Eight hours later, his iPhone was working again, but using a method that’s likely beyond the abilities of the majority of owners.
“To restore WiFi functionality, you have to manually edit an iPhone backup and remove malicious entries from the known networks .plist,” he tweeted.
Schou reached out to Apple’s device security team to alert them of the bug, and you would imagine a fix will be issued pretty urgently — hopefully before the loophole is exploited maliciously.
There is some good news, however. It’s possible that this is not quite as bad as it seems, and could actually be the culmination of two bugs combining. Schou retweeted a thread by @wr3nchsr, which suggested that the hard reset/backup edit option may only be required if the phone comes into contact with two malicious SSIDs.
I didn’t trace that back in the binaries but for some reason having more than one malicious SSID might be causing the reset to fail? As a result whenever wifid attempts to start, it crashes due to a null pointer dereference. (5/n)July 4, 2021
If that’s the case, then trolls would have a far harder time using this exploit maliciously, as it’s the kind of thing that you’re only likely to run into if you’re a security researcher actively looking for trouble. All the same, we would expect Apple to fix this pretty quickly, as the previous bug doesn’t seem to impact Android devices at all.