iOS Bug Causes Specific Network Name to Disable Wi-Fi on iPhones

[Eorlas]

How long must it have taken to find this out!? Surely better things to do.

that is not how bug finding/reporting/etc works.

probably a bunch of people around here wont remember it, but MR reported on some obscure email bug that existed for years which took advantage of not a terribly large number of people, but it allowed remote code execution.

finding something like this isn't about having few better things to do.

 

[bsolar]

So he joined a network where someone else not related to the security researcher or research at hand setup said network SSID? In other words, he stumbled across this as a happy accident, not related to any research he was doing? He got caught in a honeypot? That’s in the wild.

It was an accident which happened merely because he likes to use these string patterns as names. He was not actively doing security research and attempting to break the iPhone, but merely trying to join his wifi network as user.

Apparently not only you didn't read the sources I provided you, you didn't even read the original article.

That the network was his and not someone else's is irrelevant, what's important is that he was using released versions of the software and a released device model:

The phrase “in the wild” is used in IT to refer to technology that has passed through a development environment, and has become a publicly used tool. Another way to talk about “in the wild” is in reference to technologies that are “post-release,” for example, software products that have already been released to the public.

Both the iOS version and iPhone device model used clearly satisfy the above definition, as opposed e.g. if the bug was only present on a beta version of iOS or a prototype device.

 

[bsolar]

I actually would blame the wi-fi manufactures for "allowing" SSID to have symbols in the first place.

Not even only symbols: the SSID is defined in the 802.11 standard as being 0-32 octets, meaning that a valid SSID is effectively binary data not even limited to printable characters.

 

[Taipan]

I‘m not a developer, but I am surprised that this still happens in 2021. It should be clear that user input is not parsed as is. Or is it not that simple?

 

[lbmdk1]

Note to self: Do not change Wi-Fi network name to %p%s%s%s%s%n

 

[Ishayu]

That’sa good one. This isn’t the first time, either. Back in OS X Lion I ran into a problem with my MacBook Pro on that it would kernel panic seemingly at random while at school at DTU and connected to EduRoam.

Turns out some students thought it was funny to broadcast some malformed network packages around the network to purposefully crash all macs because they didn’t like them.

Wireshark on Linux were able to find them, but it slowed down Linux networking tremendously. Only Windows seemed immune. I reported it many times to Apple and it wasn’t until 10.9 that an Apple engineer actually came to DTU and sat down and fixed the darned problem. Really frustrating.

 

[svish]

😬. At least you can reset network settings and resolve the issue without causing further problems.

 

[imdropbear]

I‘m not a developer, but I am surprised that this still happens in 2021. It should be clear that user input is not parsed as is. Or is it not that simple?

There is no project without bugs. I'm pretty sure Apple didn't have a meeting where they decided that this is an intended feature. It's a bug because a human made an error.

Somewhere in the code, something somehow got parsed the wrong way. It seems harmless at first but do we know what else is possible with it? This bug could allow attackers to execute commands by naming a public AP in a certain way.

 

[cyanite]

Pretty sure of course this big will effect nobody as who would use that as a network name ?!

Someone might do it for the lulz, or to attempt an exploit (although this doesn't so far look exploitable).

How long must it have taken to find this out!? Surely better things to do.

It's always a good idea to look for exploits, so they can be patched.

The real question is why would iOS do anything with the SSID? It's a 'string'. If iOS is choking on it, it shouldn't be looking at it as filet mignon! (Bad analogy warning?) It's like eating the wrapper your hamburger came in. Come on Apple...

In this particular case, the SSID is appended to a string with format markers. The entire string is then run through a formatting, possibly for logging purposes, where the placeholder values can't be controlled by an attacker and the target buffer is likely (hopefully) length-limited. So it will probably not be exploitable.

 

[fredrik9]

It affects basically nobody as long as it's just a joke SSID encountered by chance, but it highlights a vulnerability in the software which malicious actors can further investigate and potentially have the chance to further exploit.

That's why Apple should promptly fix the root issue before worse exploits have a chance to happen.

Don’t you have to actively join the network for it to break anything? That would make it much less dangerous.

 

[Macboero]

I've always found Apple devices to be problematic with SSIDs containing accent characters. Used to maintain a wifi setup for an Italian cafe for a friend of mine. He wanted the SSID to match the name of the cafe that contained a grave accent over an "E". When I tried it, no Apple devices including the cafe owners iPhone could even see that the network existed. Couldn't even join it as a hidden network, using the SSID as set. Anything else was fine with it.

 

[bsolar]

Don’t you have to actively join the network for it to break anything? That would make it much less dangerous.

Yes, as stated already it's unlikely for the SSID to be a vector for more nefarious exploits, but the underlying issue is still worrying and should be looked into before another vector is potentially found.

 

[bsolar]

I've always found Apple devices to be problematic with SSIDs containing accent characters. Used to maintain a wifi setup for an Italian cafe for a friend of mine. He wanted the SSID to match the name of the cafe that contained a grave accent over an "E". When I tried it, no Apple devices including the cafe owners iPhone could even see that the network existed. Couldn't even join it as a hidden network, using the SSID as set. Anything else was fine with it.

That's an issue with Apple's implementation as SSIDs per specification are not even required to be alphanumeric.

 

[I7guy]

It was an accident which happened merely because he likes to use these string patterns as names. He was not actively doing security research and attempting to break the iPhone, but merely trying to join his wifi network as user.

Apparently not only you didn't read the sources I provided you, you didn't even read the original article.

That the network was his and not someone else's is irrelevant, what's important is that he was using released versions of the software and a released device model:



Both the iOS version and iPhone device model used clearly satisfy the above definition, as opposed e.g. if the bug was only present on a beta version of iOS or a prototype device.

A bug has apparently been found by a security researcher that can render a temporary denial of service to an iPhone by connecting to a specially crafted SSID name. By resetting network settings this DOS can be mitigated.

The technique hasn’t yet been released in the wild but will be shortly after reading the folderol in this thread.

 

[Morgenland]

Yes... blame Apple for the fact no one can use real SSID names.. I know people wanna be privavte buut changing an SSID name to something that doesn't make sense, doesn't excatly solev the problem of privacy.. at all

the password does, not the name..

Now, Apple will fix it.. I actually would blame the wi-fi manufactures for "allowing" SSID to have symbols in the first place. That would solve the problem very quickly. Usually a update could be implemented

As far as I know the situation, I would like to agree with you.
But...
Can you explain to me why Apple behaves differently with my SSID "default" (single in range) since some iOS updates than with arbitrary SSID names?
The iPhone (other than iPad) comments the name as "unsafe network" and disconnected several times a day.
If Apple were (also) of your opinion that the password is the only important thing (I would actually agree with that), then it would not set SSID name specific processes in its software. And that's where it gets interesting, because the SSID is actually eagerly used by many other services for many other purposes as well.
Google, to name just one harmless one.

Before someone tries to trivialize things again: No, a network reset did not change anything.

 

[justperry]

After 11 years of interaction (especially in the jailbreak section) yeah there’s a lot of people on macrumors who struggle with tech willing to do stupid things with it. The time when a text could crash springboard and many on here were “pranking” friends by sending it comes to mind. You’ve been here longer than me I’m sure you’ve seen even more examples.

He should have kept his opinion to himself, is it that hard.

 

[apoltix]

Format string bugs are not uncommon in C/C++. Someone used the wrong API. One more reason to port code to safer languages like Swift.

I get where you're coming from, but in Swift, String(format: "%p%s%s%s%s%n"), crashes the app as well. But it is true that somebody used the wrong API.

 

[johnnygee]

Whew! Saved my life. I was just getting ready to join that network. 🤣

 

[john123]

We’ll in my opinion it’s an edge case. But you all can have your own interpretation of this.

How is it an edge case? How is sanitizing input before doing anything with it not data 101? I can't tell you how many hours of my life would have saved and how many problems avoided if my people had just done some basic data hygiene on the front end. I mean, good grief, even at the most basic level, look at Unicode.

 

[pshufd]

We had to take secure coding training at my former workplace every year or every other year and you have to be able to handle stuff like this. Garbage should also be in the QA test plans.

 

[lkxiii]

Pretty sure of course this big will effect nobody as who would use that as a network name ?!

Just made a guest wifi with no pw with that name.. so yeah somebody.

 

[Carlson-online]

Just made a guest wifi with no pw with that name.. so yeah somebody.

great use of your time.

 

[tsopish]

I am affected by this bug. I was messing around with my wifi access point and named SSID "6G COVID TEST TOWER 500%"
network settings reset does nothing, debug logs still contain the SSID's