iOS Wireless Naming Bug, Click-less Zero-Day & Why Is It Critical To Maintain Updates

Everything these days runs on software: offices, cars, airplanes, power plants, household appliances. Aside from the semantics of machine learning, just about any software code is written by software engineers; and like most things created by people, it is imperfect.

When the devices or applications we use experience a coding error commonly known as a “bug”, it forces the device or app to behave unpredictably, as new characteristics emerge previously unknown to anyone, not even to the developer. This often leads to undesirable results, such as exposure of sensitive data, unauthorized access, degradation of performance, or a full system crash.

Mr. Robot said it best, “The bug forces the software to adapt, evolve into something new because of it. Work around it or work through it. No matter what, it changes. It becomes something new. The next version. The inevitable upgrade.”

Did you know? A zero-day is a computer-software vulnerability unknown to those who should be interested in its mitigation (e.g. the manufacturer). Until the vulnerability is mitigated, hackers can exploit it to adversely affect programs, data, additional computers or a network.

The Gist of It

Let’s revisit the events that unfolded around the recent and highly publicized iOS bug. After all, this is more than a story about a bug that crashes the Wi-Fi functionality of vulnerable iOS devices. It is about an issue that gave birth to an extremely dangerous zero-click, zero-day vulnerability, affecting susceptible iOS devices through a malicious access point name which allowed an attacker to infect devices without any sophisticated methods or interaction with the victim as long as the victim’s phone automatically joined the Wi-Fi network bearing the malicious SSID name. Add the ability for threat actors to use Remote Code Execution (RCE) and you have a recipe for disaster.

<The bug> allowed an attacker to infect devices without any sophisticated methods or interaction with the victim as long as the victim’s phone automatically joined the Wi-Fi network bearing the malicious SSID name.

Since most devices are set to automatically connect to available wireless access points as a user preferred convenience, the attack is seamless, clickless, and fully automated. This zero-click vulnerability ultimately turned out to be so nefarious that it ended up with a fitting name: WiFiDemon, coined by a security vendor ZecOps, who would soon uncover the scope of the damage caused by this simple Wi-Fi naming bug.

How Was WiFiDemon Discovered?

As with many bugs in the wild, this one was originally uncovered by accident. After all, most rigorous testing during Quality Assurance or User Acceptance Testing phases of software development is still performed by trained humans (as opposed to machines), and it can go unreported even when software or a device is released and a user runs into the unexpected issue. This particular story began with the discovery of the iOS wireless naming bug by a security researcher and reverse engineer named Carl Schou.

He stumbled upon the flaw one day after he tried to connect an iPhone to his personal wireless access point that used “%p%s%s%s%s%n” as the Set Service Identifier (SSID). The issue was resolvable by resetting the network settings within iOS. However, after discovering the initial problem, Schou then came upon a variant resembling the original SSID causing the bug to manifest by using the SSID "%secretclub%power" which has the potential to cause even more damage to an iPhone. First, the iPhone was unable to connect to the SSID. Then the iOS unceremoniously disabled its Wireless Interface - permanently.

“Neither rebooting nor changing SSID fixes it”, tweeted Schou. The bug forced the iPhone into a loop, and can be viewed by following the embedding link above, which demonstrates the wireless settings on the phone attempting to activate its Wi-Fi functionality, only to crash ad infinitum. In simple terms, it created a denial-of-service (DoS) vulnerability, preventing you from accessing any WiFi points via the affected iPhone.

The flaw affected iOS version 14.4.2 and the latest iOS 14.6 release, carrying the potential of causing serious damage to 55.2 million iPhone devices under these conditions.

On July 19 Apple rolled out a patch that appeared to resolve the flaw in iOS 14.7 and in iPad 14.7.

The security blog, CodeColorist reported their research showing that the issue is a Format String Bug, and demonstrated how certain characters (such as "%") can be misinterpreted by the operating system as commands rather than simply a part of the name. As a consequence, this causes a device to malfunction - in this case, in the form of a denial-of-service attack.

"Neither rebooting nor changing SSID fixes it"
- Carl Schou, Security Researcher

This meant that vulnerable iOS devices could misread the strange SSID name by interpreting the characters as variables commonly found in programming syntax, confusing the iOS into thinking it was reading a command and attempting to follow that interpretation, causing the Wi-Fi functionality of the device to become absolutely fubar, and ultimately denying the user the ability to access any WiFi functions. In some cases the wireless interface could not be restored without a factory reset.

But wait: it turned out to be so much more than a mere flaw.

WiFiDemon zero-day Has Remote Code Execution Capabilities

ZecOps Mobile EDR Research team looked into the bug and made an alarming discovery: the Wi-Fi denial-of-service bug was more than what it appeared. It was in fact, a zero-day exploit with Remote Code Execution (RCE) capabilities. RCE is a subtype of security vulnerabilites that can allow a threat actor to execute any code of their choosing on a remote device in order to gain unauthorized access to it. Additionally, they discovered that the vulnerability was not fully patched.

"As long as the Wi-Fi is turned on this vulnerability can be triggered," said the researchers. "If the user is connected to an existing Wi-Fi network, an attacker can launch another attack to disconnect/de-associate the device and then launch this zero-click attack.” …
"This zero-click vulnerability is powerful: if the malicious access point has password protection and the user never joins the Wi-Fi, nothing will be saved to the disk...after turning off the malicious access point, the user's Wi-Fi function will be normal. A user could hardly notice if they have been attacked."
- ZecOps Mobile EDR Research team

Unpatched Issues & Auto-Connect Features Are Making Devices Vulnerable

This iOS bug is a critical vulnerability simply because iOS users can still be affected by its destructive attributes if they hesitate to update to the latest version of iOS, or enable the ability to automatically connect to available wireless networks. And good luck making people update their devices immediately or disable auto-connect features.

As of now, simply keeping your wireless preferences at the default setting makes your iOS device vulnerable to this DoS zero-day attack.

Attack Scenarios In Progress

How would a threat actor take advantage of this vulnerability? You’re about to find out.

Imagine a hacker is roaming about a ritzy hotel in lower Manhattan, New York. He doesn’t look like your stereotypical hacker. He isn’t wearing the iconic black hoodie or Guy Fawkes mask, nor is he doing anything out of the ordinary. Because of this, he is able to blend in with the environment, appearing as any other hotel guest. He sits at the cafe adjacent to hotel lobby and uses his phone - just like everybody else.

He creates a fake wireless access point called "%secretclub%power" and broadcasts it from his phone. Sure, it looks a little strange, but when patrons begin seeing an open access point, they don’t think twice - they connect. The hacker leaves the attack running all day, scanning for vulnerable iOS devices, most of them unpatched, as scores of them find his malicious access point. He watches them connect, and then quickly disappear, unable to reconnect because their wireless interfaces are now null - crashed.

Imagine this kind of attack on a much larger scale. What if the threat actor was able to gain access to the hotel’s wireless router or a router at a mall and change the SSID to "%secretclub%power". Now let’s expand our thinking even bigger. Imagine entire cities that offer a free public wireless points like Tel Aviv or New York City, a mesh that extends for miles.

Access controls for grids this large are usually kept under careful watch, but to a skilled and determined hacker that notion is relatively meaningless. Altering the SSID to the "%secretclub%power" would crash thousands, even millions of vulnerable iOS devices, destroying their networking functionality over a simple zero-click “flaw” and providing thousands of attack-points for Remote Code Execution.

This is why patches, system updates and fixes are only useful to those that use them. Dismissing important updates provides useful advantages to threat actors, who never diminish in abundance. As threats evolve, so we must evolve as well.

An article by

Jesse McGraw

Like this content? Subscribe to our newsletter to get weekly cybersecurity insights and top news - straight to your mailbox!

47 views0 comments

Recent Posts

See All