Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

iOS Bug Causes Specific Network Name to Disable Wi-Fi on iPhones

bsolar said:
Granted, but what worries me most is that these class of bugs are well known and should not pass undetected by basic static checks. It's important for Apple to fix the issue but IMHO far more important to figure out how such issue managed to get into the final product.
Click to expand...

Not the first time either. A few years ago iPhones were being bricked by sending a particular character in a text.
 
  • Like
Reactions: Absolute Trainwreck
MacRumors said:


A wireless network naming bug has been discovered in iOS that effectively disables an iPhone's ability to connect to Wi-Fi.

ios-wifi-settings.jpg

Security researcher Carl Schou found that after joining a Wi-Fi network with the name "%p%s%s%s%s%n" his iPhone's Wi-Fi functionality was left "permanently disabled."
Click to expand...


MacRumors said:
...iPhones hit by the problem need to have their network settings reset before a Wi-Fi hotspot can be connected again.

To perform the reset, open the Settings app, tap General -> Reset, then tap Reset Network Settings and confirm the request at the prompt.

Article Link: iOS Bug Causes Specific Network Name to Disable Wi-Fi on iPhones
Click to expand...
Oh, so it's not permanently disabled, then...

Misleading clickbait article.
 
  • Like
Reactions: NetMage, grjj and psxp
bsolar said:
I don't see how it would be a strawman... furthermore your statement does not contradict mine: both practical and theoretical considerations play a role in the evaluation of a threat. Ask yourself e.g. why the corresponding Sonar Rule has a severity of Critical.



That's because you don't know the matter at hand. I have given you a paper which explain exactly what this vulnerability is about, but let me try with a more easier article maybe (extra emphasis mine):



That's exactly what's happening in the Apple's case.

Note that the original article has been updated with a quick analysis which confirms the bug being indeed a string format vulnerability:
Click to expand...
There are considerations to how vulnerabilities are treated. For example meltdown and specter would probably have a different risk profile than this bug. The apple Group FaceTime bug had a different risk profile. This is a theoretical DoS, which if a reboot or reset network settings worked…especially if there isn’t a real chance of code injection or the probability of infection is low would be treated differently than meltdown.
 
jrhop said:
How long must it have taken to find this out!? Surely better things to do.
Click to expand...
Maybe better things to do but then again he discovered a bug. Albeit one that may never had affected anyone but still found it.
 
I7guy said:
There are considerations to how vulnerabilities are treated. For example meltdown and specter would probably have a different risk profile than this bug. The apple Group FaceTime bug had a different risk profile. This is a theoretical DoS, which if a reboot or reset network settings worked…especially if there isn’t a real chance of code injection or the probability of infection is low would be treated differently than meltdown.
Click to expand...

No, this is not a theoretical DoS, this is a practical DoS based on a vulnerability theoretically known to also be able to be exploited more nefariously to e.g. read or write at arbitrary memory positions. This is clearly explained in the sources I provided which evidently you didn't take the time to read.

As stated already, I don't think the underlying vulnerability will be easy to exploit beyond the current DoS, but is still a dangerous underlying issue to have in the software due to its nature.
 
  • Like
Reactions: Absolute Trainwreck
bsolar said:
No, this is not a theoretical DoS, this is a practical DoS based on a vulnerability theoretically known to also be able to be exploited more nefariously to e.g. read or write at arbitrary memory positions. This is clearly explained in the sources I provided which evidently you didn't take the time to read.

As stated already, I don't think the underlying vulnerability will be easy to exploit beyond the current DoS, but is still a dangerous underlying issue to have in the software due to its nature.
Click to expand...
Semantics. This is a theoretical DOS until it happens in the wild. As many vulnerabilities, which are real in the sense they have been proven, but not executed in the wild. Either they require physical access to the device, social engineering, user to do something, particular setup, etc.
 
kmann1983 said:
Eh, this particular bug seems to just cause the wifi to go on and off as fast as it can. Specifically, it likely crashes, restarts, crashes, repeats over and over.

It's not likely going to be able to run arbitrary bad code itself. Not saying it can't... but the SSDI is limited in data, so the odds of you being able to put enough in there to get it to do anything malicious or useful OUTSIDE of the phone would be... difficult if not impossible.

But what do I know.
Click to expand...
I read it to mean that the name of the Wi-Fi is used in a location of code where it can influence hardware. Maybe it can only disable the connection, but it might be able to make other changes with a different string.

Once someone will figure out why the wireless stops it wouldn’t take long to figure out other uses.
 
I7guy said:
Semantics. This is a theoretical DOS until it happens in the wild. As many vulnerabilities, which are real in the sense they have been proven, but not executed in the wild. Either they require physical access to the device, social engineering, user to do something, particular setup, etc.
Click to expand...

What are you talking about? The DoS did happen in the wild: that's what led to the discovery of the underlying format string vulnerability. It seems to me you want to define "theoretical" as "not being actively exploited by malicious actors", but that's not what the term means.
 
  • Like
Reactions: PC_tech
bsolar said:
What are you talking about? The DoS did happen in the wild: that's what led to the discovery of the underlying format string vulnerability. It seems to me you want to define "theoretical" as "not being actively exploited by malicious actors", but that's not what the term means.
Click to expand...
Where did this happen in the wild? And yes being actively exploited by malicious actors is exactly what I was referring to for this low level bug.
 
I7guy said:
Where did this happen in the wild?
Click to expand...

From the second sentence in the MacRumors post itself:

Security researcher Carl Schou found that after joining a Wi-Fi network with the name "%p%s%s%s%s%n" his ‌iPhone‌'s Wi-Fi functionality was left "permanently disabled."
Click to expand...

That's when it happened in the wild. To elaborate:
  • The researcher was using a released version of iOS on a released iPhone model, meeting the definition of "in the wild".
  • He successfully caused a Denial of Service with the steps described above, which he speculated exploit an existing format string vulnerability.
  • Later another researcher analyzed the crash report and confirmed said vulnerability being a format string bug.

I7guy said:
And yes being actively exploited by malicious actors is exactly what I was referring to for this low level bug.
Click to expand...

That's fine but the lack of active exploits by malicious actors doesn't make the DoS theoretical: the DoS to be theoretical would need to lack a known definite way to exploit the vulnerability, which is not the case here.
 
justperry said:
So, in essence you say there are a lot of idiots on Macrumors.
Well done... :rolleyes:
Click to expand...
After 11 years of interaction (especially in the jailbreak section) yeah there’s a lot of people on macrumors who struggle with tech willing to do stupid things with it. The time when a text could crash springboard and many on here were “pranking” friends by sending it comes to mind. You’ve been here longer than me I’m sure you’ve seen even more examples.
 
bsolar said:
From the second sentence in the MacRumors post itself:



That's when it happened in the wild. To elaborate:
  • The researcher was using a released version of iOS on a released iPhone model, meeting the definition of "in the wild".
  • He successfully caused a Denial of Service with the steps described above, which he speculated exploit an existing format string vulnerability.
  • Later another researcher analyzed the crash report and confirmed said vulnerability being a format string bug.



That's fine but the lack of active exploits by malicious actors doesn't make the DoS theoretical: the DoS to be theoretical would need to lack a known definite way to exploit the vulnerability, which is not the case here.
Click to expand...
So he joined a network where someone else not related to the security researcher or research at hand setup said network SSID? In other words, he stumbled across this as a happy accident, not related to any research he was doing? He got caught in a honeypot? That’s in the wild.
 
Sinice we are talking about WiFi I find that I have less problems with the Private Address setting disabled on my home WiFi. It doesn’t appear to play nice with my providers WiFi.
 
  • Like
Reactions: I7guy
Carlson-online said:
Pretty sure of course this big will effect nobody as who would use that as a network name ?!
Click to expand...

Yes... blame Apple for the fact no one can use real SSID names.. I know people wanna be privavte buut changing an SSID name to something that doesn't make sense, doesn't excatly solev the problem of privacy.. at all

the password does, not the name..

Now, Apple will fix it.. I actually would blame the wi-fi manufactures for "allowing" SSID to have symbols in the first place. That would solve the problem very quickly. Usually a update could be implemented
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back