New malformed Wi-Fi name bug can require iPhone factory reset to fix

Posted:
in iOS edited July 4
A bug in the way iOS handles Wi-Fi hotspot names is apparently worse than first thought, with one malformed SSID found to disable Wi-Fi access on an iPhone completely, requiring a factory reset to rectify it.




In June, security researcher Carl Schou discovered a personal Wi-Fi hotspot name of "%p%s%s%s%s%n" causes problems for iOS devices. It was found that iPhones simply couldn't connect to the hotspot, and in fact disabled Wi-Fi connectivity in some instances.

While that issue could be fixed by reseting the network settings within iOS, Schou has since discovered a variant along the same lines that can cause more harm to an unsuspecting iPhone. According to Schou in a tweet on Sunday, using the SSID "%secretclub%power" can disable an iOS device's Wi-Fi capabilities, with no guarantee that a network settings reset will restore connectivity.

You can permanently disable any iOS device's WiFI by hosting a public WiFi named %secretclub%power
Resetting network settings is not guaranteed to restore functionality.#infosec #0day

-- Carl Schou (@vm_call)


Schou claims the iPhone used to test still didn't have Wi-Fi after repeated resets of network settings and a forced restart of the iPhone. The researcher has also contacted Apple's device security team over the matter, but has yet to hear anything back.

The original bug was believed to be an issue with input parsing, where the percentage sign could be misinterpreted by iOS as a string-format specifier, namely that characters following the symbol could be considered a variable or a command instead of plain text.

While the new SSID does jokingly promote Secret Club, a technology exploration group Schou is involved with, the use of the percentage signs followed by the characters S and P are most likely the problem areas for the hotspot name bug. Analysis of the issue confirms a format string bug is behind it, though it doesn't seem to be a highly exploitable vulnerability for a bad actor.

It is highly likely that there are many more combinations of text strings that could cause problems within iOS in this manner, but only until the bug is patched out by Apple. While the company is beta-testing iOS 14.7 and iOS 15, it is unclear if the issue will be fixed in those releases by the company.

For the moment, AppleInsider recommends users don't connect to unfamiliar Wi-Fi access points, especially if they include unusual symbols.

Keep up with everything Apple in the weekly AppleInsider Podcast -- and get a fast news update from AppleInsider Daily. Just say, "Hey, Siri," to your HomePod mini and ask for these podcasts, and our latest HomeKit Insider episode too.If you want an ad-free main AppleInsider Podcast experience, you can support the AppleInsider podcast by subscribing for $5 per month through Apple's Podcasts app, or via Patreon if you prefer any other podcast player.

Comments

  • Reply 1 of 12
    XedXed Posts: 1,100member
    Well this is one I'm not going to test.
    dysamoriaapplguywatto_cobra
  • Reply 2 of 12
    You guys are about a week behind on this one. 
  • Reply 3 of 12
    Useless Message PosterUseless Message Poster Posts: 10unconfirmed, member
    You guys are about a week behind on this one. 
    How do you figure?  There was a post on this here last week on the first issue, and now an update that the guy found came out earlier today.  I'd say they are right on it.  Or did you know about the Secret Club version earlier than today?
    watto_cobra
  • Reply 4 of 12
    mk2021mk2021 Posts: 1member
    I have found if my PW has similar characters, it creates an issue with Wi-Fi not working correctly on an iPod touch.

    Even a factory reset has not solved the issue.

    PW has also been changed.
    watto_cobra
  • Reply 5 of 12
    dysamoriadysamoria Posts: 3,430member
    Why would a router name ever be handled as anything other than a plain text string? Why is it even possible for that string to be read as some kind of format/type specifier?

    Databases usually have “illegal” characters stripped, and it has, in my past experience, been extremely irritating to see which characters certain databases dislike (inconsistently), because of how it limits the human usage of said databases. There are still systems on the internet that refuse to accept modern password strength requirements (government and corporate), forcing a maximum of 8 characters for password and/or user ID. What outdated software are they running??

    We generally find protection against storing illegal characters, such as in file & volume name dialogs. That same process isn’t used to limit WiFi IDs? Is there not a formalized definition for a WiFi ID’s allowable characters?

    Why, in modern computing, is it still possible to break things via “unexpected” characters?
    XedIreneW
  • Reply 6 of 12
    XedXed Posts: 1,100member
    dysamoria said:
    Why would a router name ever be handled as anything other than a plain text string? Why is it even possible for that string to be read as some kind of format/type specifier?

    Databases usually have “illegal” characters stripped, and it has, in my past experience, been extremely irritating to see which characters certain databases dislike (inconsistently), because of how it limits the human usage of said databases. There are still systems on the internet that refuse to accept modern password strength requirements (government and corporate), forcing a maximum of 8 characters for password and/or user ID. What outdated software are they running??

    We generally find protection against storing illegal characters, such as in file & volume name dialogs. That same process isn’t used to limit WiFi IDs? Is there not a formalized definition for a WiFi ID’s allowable characters?

    Why, in modern computing, is it still possible to break things via “unexpected” characters?
    1) My weakest passwords are with my financial institutions. Some don't even have 2FA options. It's pathetic.

    2) I don't feel like Apple gives enough attention to their WiFi settings. Since the iPhone debuted it has bugged me that once I select the type of security (e.g.: WPA2) it doesn't jump back to the previous page or have a Next button, but instead makes you manually choose Back. I can't tell you how many time I tap and then wait for something to happen only to remember I have to do it. This isn't a dealbreaker, but it's just lazy and a lack of consistency when everything else works a certain way.

    On macOS I waited years for them to hide all the possible SSIDs that I've never connected. A couple years ago they finally did that so many there is hope for the other. I think they did add WPA3 support at some point. Hopefully they'll do a housecleaning of WiFi in the coming months.
    edited July 4 dysamoriamuthuk_vanalingamwatto_cobra
  • Reply 7 of 12
    DoodpantsDoodpants Posts: 32member
    dysamoria said:

    Why, in modern computing, is it still possible to break things via “unexpected” characters?
    Because "modern computing" still uses libraries written in C, a language from 1972.
    watto_cobra
  • Reply 8 of 12
    williamhwilliamh Posts: 810member
    You all know some jerks will set up access points with that SSID.  

    The reporting seems a bit overblown still.  The author and discoverer claim it permanently disabled Wifi ans then wrote  there’s no guarantee to get WiFi back after a factory reset.  So it’s not always or not usually permanent or not often.  Who knows?
    watto_cobra
  • Reply 9 of 12
    XedXed Posts: 1,100member
    williamh said:
    You all know some jerks will set up access points with that SSID.  

    The reporting seems a bit overblown still.  The author and discoverer claim it permanently disabled Wifi ans then wrote  there’s no guarantee to get WiFi back after a factory reset.  So it’s not always or not usually permanent or not often.  Who knows?
    Because of that, what I assume will be Apple more often than not having to use their resources to fix iPhones, and what I suspect will be an easy fix, that we'll see a fix soon enough.
    edited July 5
  • Reply 10 of 12
    jcs2305jcs2305 Posts: 1,222member
    You guys are about a week behind on this one. 
    Huh?

    You can permanently disable any iOS device's WiFI by hosting a public WiFi named %secretclub%power
    Resetting network settings is not guaranteed to restore functionality.#infosec #0day

    -- Carl Schou (@vm_call)

    watto_cobra
  • Reply 11 of 12
    nicholfdnicholfd Posts: 704member
    dysamoria said:
    Why would a router name ever be handled as anything other than a plain text string? Why is it even possible for that string to be read as some kind of format/type specifier?

    Databases usually have “illegal” characters stripped, and it has, in my past experience, been extremely irritating to see which characters certain databases dislike (inconsistently), because of how it limits the human usage of said databases. There are still systems on the internet that refuse to accept modern password strength requirements (government and corporate), forcing a maximum of 8 characters for password and/or user ID. What outdated software are they running??

    We generally find protection against storing illegal characters, such as in file & volume name dialogs. That same process isn’t used to limit WiFi IDs? Is there not a formalized definition for a WiFi ID’s allowable characters?

    Why, in modern computing, is it still possible to break things via “unexpected” characters?
    The "%" symbol is allowed in WPA/WPA2 pre-shared key.  Apple is not correctly parsing the field correctly.  See this article:  Wi-Fi Protected Access.  Specifically see foot note 21 which has a link to an ASCII table of printable characters.

    Unfortunately this problem is specific to many WiFi product manufacturers (not giving Apple an out here - shame on Apple, we expect better).  I had an IR emitter devices, used for home stereo automation, that had an iOS app to control it. When you first set it up, you connected to it's WiFi, and configured your home WiFi.  It would never connect to my home WiFi.  I worked with the hardware/software developer, and they were not parsing the pre-shared key correctly on the hardware device (ran Linux, on a SoC).  The ";" in my password was fouling it up.  They fixed it after my troubleshooting with them.  The product was called RedEye, made by Thinkflood.  

    And there are many other WiFi hardware products that do not allow "approved" special, printable ASCII characters.  They don't want to bother with parsing them correctly.  You'll find this in some Router/WiFi documentation.
    watto_cobra
  • Reply 12 of 12
    dewmedewme Posts: 3,934member
    dysamoria said:

    Why, in modern computing, is it still possible to break things via “unexpected” characters?
    Because modern programmers are making the same mistakes, like incomplete/incorrect input parameter validation and exception handling, that older/seasoned programmers made before they learned not to make those kinds of mistakes. In many cases the seasoned programmers have moved on and knowledge transfer is nonexistent. There are other contributing factors, including but not limited to:

    - The general flattening of any kind of skill-based hierarchy, i.e., no discernible path that entry level people ascend through the ranks.
    - The primary focus on productivity over correctness, efficiency, and consequences, in languages, tools, and breadth of testing.
    -  Unbounded growth in software size, complexity, and rate of change.

    One possible antidote for some of these issues is to keep some developers around who are especially proficient and knowledgeable in the parts of the architecture that require exacting attention to detail required to interact with low level system/kernel services while using unforgiving languages like C/C++/Objective-C build libraries for developers working in higher level “productivity” languages like Swift and C# to consume - and have some architects around who know how all the pieces at all levels need to work together. 

    It’s a people related problem, not a technology related problem.


    edited July 6 muthuk_vanalingamwatto_cobra
Sign In or Register to comment.