The Wi-Fi network name bug that was found to completely disable an iPhone’s networking functionality had remote code execution capabilities and was silently fixed by Apple earlier this year, according to new research.
The denial-of-service vulnerability, which came to light last month, stemmed from the way iOS handled string formats associated with the SSID input, triggering a crash on any up-to-date iPhone that connected to any wireless access points with percent symbols in their names such as “%p%s%s%s%s%n.”
While the issue is remediable by resetting the network settings (Settings > General > Reset > Reset Network Settings), Apple is expected to push a patch for the bug in its iOS 14.7 update, which is currently available to developers and public beta testers.
But in what could have had far-reaching consequences, researchers from mobile security automation firm ZecOps found that the same bug could be exploited to achieve remote code execution (RCE) on targeted devices by attaching the string pattern “%@” to the Wi-Fi hotspot’s name.
ZecOps nicknamed the issue “WiFiDemon.” It’s also a zero-click vulnerability in that it allows the threat actor to infect a device without requiring any user interaction, although it requires that the setting to automatically join Wi-Fi networks is enabled (which it is, by default).
“As long as the Wi-Fi is turned on this vulnerability can be triggered,” the researchers noted. “If the user is connected to an existing Wi-Fi network, an attacker can launch another attack to disconnect/de-associate the device and then launch this zero-click attack.”
“This zero-click vulnerability is powerful: if the malicious access point has password protection and the user never joins the Wi-Fi, nothing will be saved to the disk,” the company added. “After turning off the malicious access point, the user’s Wi-Fi function will be normal. A user could hardly notice if they have been attacked.”
All iOS versions starting with iOS 14.0 and prior to iOS 14.3 were found to be vulnerable to the RCE variant, with Apple “silently” patching the issue in January 2021 as part of its iOS 14.4 update. No CVE identifier was assigned to the flaw.
Given the exploitable nature of the bug, it’s highly recommended that iPhone and iPad users update their devices to the latest iOS version to mitigate the risk associated with the vulnerability.