iPhone crash bug solved! This Wi-Fi bug is too complicated

A new iPhone vulnerability has been discovered that can cause your phone to crash as soon as you connect to WiFi.

If someone sets the WiFi name (SSID) to a string of special characters, then you have to be careful, because once you try to connect to this WiFi, your iPhone will be "hacked".

Just like below, your iPhone will no longer be able to connect to WiFi, and it will automatically turn off even if you turn it on manually:

And even restarting the iPhone doesn't work. You have to restore the phone's network settings to restore the WiFi function to normal.

Only iPhones are affected

The vulnerability was discovered by a security engineer named Carl Schou, who set his home WiFi to the following name: %p%s%s%s%s%n

(Warm tip: Don’t try this on your own, and don’t endanger other iPhone users.)

He then discovered that the iPhone's WiFi function had completely crashed.

Every time he tried to turn the WiFi back on, the system would quickly shut down, even after he rebooted the device or changed his home WiFi to a more normal name.

Carl first discovered the vulnerability by testing it on his iPhone XS running iOS version 14.4.2. He then performed the same test on the latest 14.6 system and found that the vulnerability still existed.

Carl first reported this issue on Twitter, and many other netizens reproduced the vulnerability after seeing his description.

And according to this netizen’s feedback, the problem is not only that WiFi cannot be used, but even AirDrop cannot be opened.

Of course, this problem is not completely unrepairable. We will discuss the specific repair method later.

If you are an Android user, you don’t have to worry at all because some people have tried connecting to the WiFi with the same name using Android phones and the problem did not occur.

In addition, QuantumBit has tested that the WiFi name has no effect on Mac. It seems that this vulnerability should be unique to iPhone.

Although WiFi problems can be solved by resetting them, some netizens believe that this "terrible" vulnerability should be taken seriously.

Because vulnerabilities like this could be exploited by hackers, such as setting up a rogue WiFi in a public place to crash all nearby iPhones.

And this is most likely a privilege escalation vulnerability that causes an overflow error and corrupts the plist (the file Apple uses to store user settings).

Why a string of characters crashed the iPhone

Other security engineers who saw Schou's tweet believe that the error was caused by a problem with the iPhone's parsing of WiFi names.

The problem lies in the "%" sign in the name.

If you learn C or C++, you should be familiar with this symbol: % is called "format string", which is used to process special variable names or commands.

For example, "%3d" outputs the variable as a 3-digit integer.

Let’s go back to the special characters “%p%s%s%s%s%n”. %p represents the output pointer, %s represents the output string, and the meaning of %n is slightly more complicated, representing the length of characters before the output %n.

For example, the following code:

printf("geeks for %ngeeks", &c); The output does not show %n, but

geeks for geeks But this line of code will count the number of characters before %n and store it in the variable c.

If we add printf("%d", c); we will find that the output is 10. (Space is also counted as one character)

The iPhone passes the unsanitized Wi-Fi name (SSID) to some internal library that performs string formatting, which can lead to arbitrary memory writes and buffer overflows, thus corrupting memory data. The iOS watchdog terminates the process, causing Wi-Fi to be disabled.

So the iPhone did not understand "%p%s%s%s%s%n" as ordinary text, but treated it as a special string. The iPhone's error log also recorded this incident.

As for why he changed the WiFi to this strange name, Carl said that all his devices were named with formatted strings to identify those with problems.

In fact, this is not the first time that the iPhone has been attacked by special strings.

The most famous one before was the "death text message" in 2018. As long as a text message with special Telugu characters was sent to the iPhone, the user would never be able to open the text message app again, because the iPhone would automatically restart with just one click.

iPhone WeChat is also affected by this type of attack.

Later, iPhone fixed this vulnerability in iOS 11.3, but similar string attacks appear frequently, almost every once in a while, making it difficult to defend against.

Solution

Although this bug cannot be fixed by restarting the iPhone, it will not completely break your phone. The solution is not complicated:

Open "Settings" on your iPhone and select "General"

Go to the "Restore" option at the bottom

Select "Restore Network Settings" and enter your phone password

After the network restoration is complete, your iPhone will return to normal. Don't worry about losing your phone data. This operation will only make your iPhone "forget" the previously saved WiFi password, and other things will not be affected.

If you see a “%” sign in a WiFi name in the future, you must be extra careful, as it may be a prank or a hacker’s conspiracy.

Hopefully Apple can fix this vulnerability in the next iOS update.