iOS Bug Causes Specific Network Name to Disable Wi-Fi on iPhones

[ThemePro]

Confirmed the bug with my iPhone 11 but didn't need to reset the network settings. Once the hotspot is turned off or you're out of range, it fixes itself. It's pretty much a nothing burger from Bleeping Computer considering few would join such a named network and there's nothing in it for the attacker other than getting their juvenile jollies.

 

[rickwalder]

$5 to whoever finds the SSID that jailbreaks your phone

 

[mdriftmeyer]

Format string bugs are not uncommon in C/C++. Someone used the wrong API. One more reason to port code to safer languages like Swift.

One more reason to be educated as a programmer as this is discussed in the first couple chapters of a C/C++ book. Holding your hands in Swift doesn’t make you a better programmer. It makes you less skilled.

 

[I7guy]

Any actor looking for exploitable input vulnerabilities. As stated, these are very well known problematic input patterns. The paper I cited before focusing on them is more than 20 years old.

Or, from the words of the researcher in the original article:






You don't know since when the vulnerability exists: the article as far as I've read only mentions tests with iOS 14, so it could have been introduced relatively recently. Furthermore, you know it was publicly disclosed in June 2021, but this doesn't mean other actors could have found the issue and not disclosed it (as sometimes happens).

Being exploitable doesn’t mean it’s anything more than an annoyance. Someone would have to demonstrate a zero day vulnerability.

Anyway, focusing on the SSID is focusing on the tree and missing the forest: the question is why this class of vulnerabilities as a whole managed to land on iOS, since there are well known ways to prevent them.

There may not be well known ways to prevent edge cases like this. In fact there may not be any ways to prevent something like this. The complexity of modern day operating systems makes finding attack vectors difficult.

 

[Morgenland]

I hope that the leaker has named the "most dangerous" SSID with this Carl Shou story, setting out the format by which possible other trigger SSIDs have been named. Is there any news from Wikileaks yet?

 

[Morgenland]

Confirmed the bug with my iPhone 11 but didn't need to reset the network settings. Once the hotspot is turned off or you're out of range, it fixes itself. It's pretty much a nothing burger from Bleeping Computer considering few would join such a named network and there's nothing in it for the attacker other than getting their juvenile jollies.

nope

 

[jhwalker]

I love the disconnect between "permanently disable" and "reset network".

So, literally, it's quite easy to correct, and it doesn't "permanently disable" anything

 

[john123]

Granted, but what worries me most is that these class of bugs are well known and should not pass undetected by basic static checks. It's important for Apple to fix the issue but IMHO far more important to figure out how such issue managed to get into the final product.

This. So much this. People seem to be missing the big point here. It’s not whether anyone would connect to a network starting with special characters. It’s how this got all the way through all the layers of QA without being detected.

And that’s the reason I’d not call this an “edge case.” Network names? Sure, unlikely. Situations where you need to handle garbage data in some way before performing operations on it? Extremely frequent.

 

[Morgenland]

I love the disconnect between "permanently disable" and "reset network".

So, literally, it's quite easy to correct, and it doesn't "permanently disable" anything

...so I'm calmed. Thank you so much!

 

[boswald]

Who cares about a bug that will effect literally one person out of 1 billion, when there are bigger fish to fry.

I think it’s an issue because, sure, this one SSID is meaningless, but simple “strings” that can be used to temporarily disable critical functions of a phone shouldn’t be there AT ALL. Yes, they’re made by humans and we’re not perfect, but it won’t be long until another similar issue is found.

 

[boswald]

View attachment 1795700...so I'm calmed. Thank you so much!

I don’t know which one I like more — the woman or the beach!

 

[Morgenland]

Every iPhone is a mobile WIFI access point.
At least you could theoretically equip yourself with a specific SSID and do things with it that iOS was prepared for, as outlined in this case.
Whether you can also send beacons with it has never been discussed so far...

 

[PinkyMacGodess]

Granted, but what worries me most is that these class of bugs are well known and should not pass undetected by basic static checks. It's important for Apple to fix the issue but IMHO far more important to figure out how such issue managed to get into the final product.

I agree, but also know that nothing tests like shipping a product. They *should* have known it was a problem, but in the acres of source code, finding one flaw like this would be a little difficult. *shrug*

But a 'good programmer' should know what they want to do with that string. Which makes bugs exploited by buffer overruns really indescribably stupid, IMO...

 

[I7guy]

I think it’s an issue because, sure, this one SSID is meaningless, but simple “strings” that can be used to temporarily disable critical functions of a phone shouldn’t be there AT ALL. Yes, they’re made by humans and we’re not perfect, but it won’t be long until another similar issue is found.

I agree, but my point is it’s difficult IMO to find in regression. And much easier to criticize after the fact.

 

[Morgenland]

I don’t know which one I like more — the woman or the beach!

That's why I sent them both.

 

[PinkyMacGodess]

I don’t know which one I like more — the woman or the beach!

Careful, that's a wedding dress there. It could go off at any moment, and be a 'permanent reminder of a temporary feeling'...

EDIT: Although the image name is 'honeymoon_title', so looks like it already went off...

 

[PinkyMacGodess]

My guess is it wasn't exactly "%p%s%s%s%s%n", but rather someone trying to make their SSID look cool with special characters.

Maybe something like "%%SSss Miles Place ssSS%%" but in a combination that sets off the bug. Some iPhones got brought in for service that had the problem, and the people at the service place got curious and investigated further. Eventually it got out to the security community.

There's hundreds of millions of people out there; you're going to come across odd situations like this purely by chance.

The article says he does that as habit/ritual using different strings, and this time he hit the jackpot, so to speak...

 

[PinkyMacGodess]

It's probably saving it into a database. Thus, they are likely sanitizing these kind of inputs, to prevent SQL injection attacks.

But totally blowing it in the process...

 

[ikramerica]

Careful, that's a wedding dress there. It could go off at any moment, and be a 'permanent reminder of a temporary feeling'...

“A momentary lapse of reason, that binds a life to a life…”

 

[Morgenland]

Careful, that's a wedding dress there. It could go off at any moment, and be a 'permanent reminder of a temporary feeling'...

EDIT: Although the image name is 'honeymoon_title', so looks like it already went off...

Living the dream...

 

[PinkyMacGodess]

“A momentary lapse of reason, that binds a life to a life…”

Nice...

Not that I'm against marriage, but I've talked a few couples out of a very clear bad idea...

'There'll be no sleep in here tonight'

 

[Morgenland]

The article says he does that as habit/ritual using different strings, and this time he hit the jackpot, so to speak...

Let's not dwell on the story. A leaker has to construct it that way.
If s|he knows more or everything, s|he might take the appropriate path via Tor (...) and not show up at BC.

 

[kmann1983]

I always wonder how people find these kinds of bugs. Do they just sit around all day trying random stuff in varying succession until something breaks?🤯

Sometimes, yes.

Other times, not in this specific instance, you can point a decompiler and look for unusual things. Or you can poke at the binary itself and take a gander.

One might notice that one particular input isn't running the same sanitization code as the rest, this gives you somewhere to -begin-. Doesn't mean you'll get anything useful. Could be a second version of sanitization. Could be "English Alphabet only" sanitization as opposed to "anything unicode". Perhaps it's a hardcoded list of "bad things". Who knows until you start poking.

It all starts with finding either inconsistencies or just shoveling malformed data into inputs.

This is why unit testing is a thing. A programmer should always be their own word bad actor so as to avoid ACTUAL bad actors.

 

[4jasontv]

Hmmm. I wonder if an alternative string could be used to open ports or something.

 

[bsolar]

Being exploitable doesn’t mean it’s anything more than an annoyance. Someone would have to demonstrate a zero day vulnerability.

The paper I cited explains why these class of exploits are inherently dangerous and gives some examples how the input string can be further constructed to attempt to e.g. read or write from/to arbitrary memory locations.

I don't think you did read said paper: I highly suggest it.

There may not be well known ways to prevent edge cases like this. In fact there may not be any ways to prevent something like this. The complexity of modern day operating systems makes finding attack vectors difficult.

Not even mentioning dedicated static code analysis tools, even just your standard C compiler would warn e.g. about unsafe uses of printf if the appropriate flags are enabled.

Furthermore, this is a well known problematic input pattern, which means concern about these kind of inputs should be a standard concern for any possible input source.