A researcher has found a way to disable the WiFi functionality on iPhones by getting them to join a WiFi hotspot with a weird name.
This shouldn’t be happening. The first thing you learn in coding school when it comes to input (which is literally any data a device has to do something with) is to validate it. Well, maybe not the fresh thing, but if you want to practice strong coding it is one of the most principal things: Make sure that a hacker can not abuse your application by feeding it something it can’t digest. Equivalent a WiFi network name.
It is not the fresh time by the way that iPhones can be compromised by using a formatting string vulnerability. And I’m afraid it will not be the terminal.
Let’s talk iPhone
iPhones are supposedly much more invulnerable than Android devices, but as it turns out I can disconnect your unattackable iPhone from any WiFi by using a plain format string vulnerability. All I would have to do is make you connect to a specific WiFi hotspot.
The magical WiFi network name (SSID) for fritzing your phone is
%p%s%s%s%s%n but since the underlying issue is almost certainly the fact that
% is interpreted as a string format specifier, you can bet there are more possibilities to be found.
String data format specifiers
In programming you sometimes have to build words and sentences you want to show the user using some information you know in advance, and some you don’t. In C and C-style languages, string data formatting specifiers are used. They have a particular meaning and are processed as variables or commands by the
A plain printf command might look equivalent this:
printf("Malwarebytes %n rules", &c);
In this instance
%n is a string format specifier that modifies the output. When the program prints the sentence “Malwarebytes %n rules” the
%n will be replaced by the number of characters preceding it, so it will output:
Malwarebytes 13 rules
There are many other data formatting specifiers that do unlike things. They look equivalent a percentage sign followed by a unshared character that specifies the type of data, for instance
%s will be replaced by a string of characters,
%d by a number (a decimal integer),
%p by a pointer address and so on.
So you can see why an WiFi network called
%p%s%s%s%s%n might cause problems. Apple’s programmers should have ensured their code reads names like that as percent signs and letters, not as string formatting specifiers. It seems they didn’t.
I can hear you thinking, so what? I would never join a WiFi Hotspot with such a weird name. Well, maybe you wouldn’t, if you would notice that the name looks out of the ordinary. But anyone can spoof a well-known SSID and your device will happily connect to it again if it’s connected to an open SSID by that name before.
Other research has shown that the vulnerability is not only restricted to the iOS operating system, it can potentially affect the macOS operating system. The alike research team found a way to construct the network name in a way that does not expose the user to the weird characters, making it look same a legitimate, existing network name.
It is not impossible that researchers will find a way to construct SSID names that can lead to remote code capital punishment (RCE) attacks. But this will probably turn out to be too complex since you would be limited by the maximum length of an SSID (32 characters), the limited functionality of the string formatting specifier, and the memory location of the data format string. The data format string is located on the heap which does not provide the attacker control of the pointers on stack. Which is not to say that this method could not be used in combination with other vulnerabilities.
Recovery from testing
If you couldn’t resist testing this and now you want your WiFi options back, here is how to do it. You will have to reset their iPhone network settings (Settings > Full general > Reset > Reset Network Settings), which will erase all your WiFi passwords. This is not a eternal difficult situation for the way out. Any time your device is affected by the way out, you will have to reset it again.
And don’t go overboard with your testing. As this researcher has found out the reset does not work for every workable string.
The post How one word can disable an iPhone’s WiFi functionality appeared original on Malwarebytes Labs.