New WiFi bug in iOS could also be exploited without user intervention

The iOS vulnerability that allowed a phone to crash by connecting to a particular SSID could also be exploited for remote code execution. Apple has since closed that leak after a report from security researchers.

The new bug was discovered by researchers at security company ZecOps. They call the vulnerability WiFiDemon. It is a zero-click vulnerability, so no user intervention is required. Attackers were able to connect an iPhone to a specific Wi-Fi network and thus execute code on the phone from a distance.

WiFiDemon builds on a vulnerability previously discovered in iOS. That bug allowed to disable Wi-Fi on an iPhone when connected to ssid %p%s%s%s%s%n. Later, other similar strings were found to cause bootloops in the Wi-Fi functionality, causing it to crash. Apple removed the ability to connect to ssids containing the %n string, but Zecops says that’s not the only potential vulnerability.

The researchers managed to create an ssid with the format specifier %@ used in Objective-C. If an attacker can make a phone connect to an ssid network that starts with that, it can cause a bootloop, just like in the previous leak. The vulnerability can also be exploited without user intervention. To do this, an attacker must put %@ behind an ssid that a phone is already connected to. If a user has ‘Connect automatically’ enabled for Wi-Fi networks, the phone will automatically connect to the wrong network. According to the researchers, a use after free could then be triggered that makes it possible to run code on a phone.

The vulnerability was in iOS versions 14 through 14.4. The researchers say that the zero-click capability was fixed in iOS 14.6, but that version still allows Wi-Fi to crash if an attacker allows a user to connect to a unique SSID. This requires user interaction. For older versions, users could disable automatic scanning for and connecting to Wi-Fi networks. The crash did not receive a CVE code. Apple released iOS 14.7 this week, but the release notes don’t say anything specific about this leak.

Leave a comment