SSID with format strings: Special network name paralyzes WLAN components in iOS

Share your love

An IT security specialist stumbled upon a strange bug in iOS that paralyzed the entire WLAN stack of Apple’s mobile operating system. As Carl Schou explains on Twitter, he chose the SSID for his WLAN as a test %p%s%s%s%s%n – and as soon as his iPhone connected to it, the smartphone’s WiFi component could no longer be activated. Only resetting the WLAN settings provided a remedy, so that all stored networks are deleted. The bug in iOS is probably harmless and cannot be misused.

As soon as Schou connected his iPhone to this special network, the smartphone generally refused any WLAN activity and no longer connected to any other known network. Even changing the SSID of the test network did not change anything – apparently the iPhone failed to process the internally stored SSID. System-wide network functions such as AirDrop also no longer worked, even restarting the device did not change anything, reports MacRumors.

Schou, who runs the security blog secret.club, does not specify how he came across the error or under what circumstances. For example, he does not name the iOS version used – one can only assume that it is the current version 14 (current status 14.6). It is also unclear whether the error also occurs on an iPad. The sequence of characters used by Schou does not contain any characters that are not permitted in an SSID.

The exact cause of the malfunction in iOS is not known, but the characters used for the SSID provide a hint: The sequence ‘%[Buchstabe]’Some programming languages ​​use a format string. The exploitation of a security gap by a so-called format string attack has been known since 1999: An attacker takes advantage of the negligence of the software to process external data unfiltered and to interpret it elsewhere as an instruction.

Read Also   Manifest: "Europe needs trustworthy hardware and software manufacturers"

Apparently that is also the case here. Inspired by the discovery by Schou, another specialist in IT security and reverse engineering investigated the behavior of iOS and presented his discoveries on his blog chichou.me. The SSID is processed as a format string and passed on to a WiFi component, which then causes a buffer overflow. The process control in iOS therefore terminates the component – which has the visible consequence that WLAN can no longer be activated on the iPhone. One way out is to delete all network settings in the Settings app: “General”, “Reset”, “Network settings”.

The blogger behind chichou.me, CodeColorist, also suspects that the error cannot be maliciously exploited. No parameters could be checked via the SSID character string. On Twitter, a user also indicated that the bug could not be recreated on an older Android smartphone that was spontaneously tested.


(tiw)

Share your love