Even though Apple devotes a lot of resources towards bolstering iPhone security, every so often a bizarre bug emerges out of nowhere. The most recent example was unearthed by security researcher Carl Schou a few weeks ago. Posting on Twitter, Schou relayed how something funky happened to his iPhone when he connected to a WiFi network named “%p%s%s%s%s%n”. Upon doing so, the WiFi on his iPhone stopped working and couldn’t be restored.
Beyond WiFi connectivity issues, Schou noticed that other network-oriented activities like AirDrop stopped working as well.
The reason behind the iPhone security issue
Apple hasn’t issued a fix for the issue yet, but theories behind the quirky behavior have emerged.
To this point, 9to5Mac writes:
the ‘%[character]’ syntax is commonly used in programming languages to format variables into an output string. In C, the ‘%n’ specifier means to save the number of characters written into the format string out to a variable passed to the string format function. The Wi-Fi subsystem probably passes the Wi-Fi network name (SSID) unsanitized to some internal library that is performing string formatting, which in turn causes an arbitrary memory write and buffer overflow. This will lead to memory corruption and the iOS watchdog will kill the process, hence effectively disabling Wi-Fi for the user.
The “%” character certainly appears to be the culprit, with Schou this weekend observed that a malicious actor can “disable any iOS device’s WiFI by hosting a public WiFi named %secretclub%power.”
Schou adds that resetting network settings on the device may restore functionality but adds that it’s not a guarantee. Schou also said he contacted Apple’s security team but never hear anything back.
How to restore your WiFi and stay safe
According to a tweet from Schou, some security experts guided him in the right direction. Schou says that it’s possible to restore WiFi functionality. To begin, “manually edit an iPhone backup and remove malicious entries from the known networks .plist.”
If you have a Mac, folks on Twitter have some simple advice. “Remove the entry from the iCloud Keychain. it then automatically syncs to your iPhone, et voilà, you have wifi again.”
Another example of an offending WiFi network name is “%Free %Coffee %Starbucks”.
To maintain the security on your iPhone, avoid any WiFi name you see with a “%” symbol and you should be safe. Expounding on the matter, The Register adds:
Security researcher Alex Skalozub told The Register that the disruptive series of characters can be shorter still. The string “%s%s%s” is sufficient to trigger the bug, he said, noting that it appears to be the third “%s” that takes down the Wi-Fi connection.
The “%s” tells the software to use a referenced string, which likely doesn’t actually exist, causing the code to crash. Indeed, it appears to cause a strlen() function call to trigger a memory access fault.
While nothing is certain at this point, we’ll have to wait and see if Apple addresses this issue soon. Apple released iOS 14.6 not too long ago. It stands to reason we can expect to see iOS 14.7 arrive sooner rather than later.
