Apple in early 2021 quietly patched an iOS vulnerability that could lead to remote code execution when connecting to a Wi-Fi access point that had a specially crafted SSID.
The issue was initially brought to light last month, when reverse engineer Carl Schou discovered that the Wi-Fi functionality on his iPhone would completely crash when connecting to a hotspot that had the SSID “%p%s%s%s%s%n.”
Wi-Fi would continuously restart even after disconnecting from the hotspot, with the functionality being restored only after resetting the network connection settings on the device.
The issue, which impacts all iOS devices running iOS 14.0 to 14.6, was deemed to be a format string bug, where iOS is considering the characters that follow “%” as string-format specifiers, meaning that they are processed as commands, rather than text.
According to security researchers with the ZecOps Mobile EDR Research team, however, the implications of the bug are deeper, as it could be exploited to achieve remote code execution without any interaction from the user.
To achieve remote code execution, the researchers say, the targeted device needs to have WiFi enabled and set to Auto-Join (the feature is enabled by default), for the device to be running a vulnerable iOS version, and for it to be in the proximity of a Wi-Fi access point that has a tailored name to trigger the bug.
An attack exploiting the vulnerability leverages the fact that an iOS device scans WiFi to join roughly every 3 seconds when the device is in use, or anywhere between 10 seconds to more than 1 minute if the screen is off.
Thus, an attacker could create a malicious access point, launch a beacon flooding attack against the target device (by broadcasting numerous Beacon frames, many access points appear on the victim device), cause the device’s Wi-Fi to crash and re-spawn, control the content of the stack to trigger a use-after-free and leverage it for remote code execution.
ZecOps discovered that an attacker may use the string “%@” in the malicious access point’s name, because it is treated as an Objective-C object, thus providing an attacker with control of the stack content.
“As long as the WiFi is turned on this vulnerability can be triggered. If the user is connected to an existing WiFi network, an attacker can launch another attack to disconnect/de-associate the device and then launch this 0-click attack,” the researchers say.
ZecOps also explains that, if the malicious Wi-Fi access point is password protected and the device never joins the network, no data is saved to disk and, with the device’s Wi-Fi function being normal when no longer in range, the user may never notice they have been attacked.
“Since this vulnerability was widely published, and relatively easy to notice, we are highly confident that various threat actors have discovered the same information we did, and we would like to encourage an issuance of a patch as soon as possible,” ZecOps notes.
Apple silently patched the vulnerability in iOS 14.4, without assigning a CVE. However, the bug can still be abused to crash the Wi-Fi on devices running iOS 14.0 to iOS 14.6, leading to a denial of service condition, the researchers say.