New Wi-Fi bug in iOS could also be exploited without user intervention

Spread the love

The vulnerability in iOS that could crash a phone by connecting to a particular SSID could also be exploited for remote code execution. Apple has since closed that leak after a report from security researchers.

The new bug was discovered by security company researchers ZecOps. They call the vulnerability WiFiDemon. It is a zero-click vulnerability, so no user intervention is required. Attackers could connect an iPhone to a particular Wi-Fi network and run code on the phone remotely.

WiFiDemon builds on a vulnerability previously discovered in iOS. That bug allowed wifi to be disabled on an iPhone if it connected to ssid %p%s%s%s%s%n. It later turned out that other similar strings also caused bootloops in the Wi-Fi functionality, causing it to crash. Apple removed the ability to connect to SSIDs containing the %n string, but Zecops says that’s not the only possible vulnerability.

The researchers managed to create an SSID with the format specifier %@ used in Objective-C. As in the previous vulnerability, if an attacker can get a phone to connect to an SSID network that starts with it, it could cause a bootloop. The vulnerability can also be exploited without user intervention. To do this, an attacker would need to put %@ after an SSID to which a phone is already connected. If a user has ‘Connect automatically’ enabled for Wi-Fi networks, the phone will automatically connect to the wrong network. According to the researchers, a use after free could then be triggered with which it is possible to execute code on a telephone.

The vulnerability was in iOS versions 14 through 14.4. The researchers say the zero-click capability has been fixed in iOS 14.6, but in that version it is still possible to crash Wi-Fi if an attacker can get a user to connect to a unique SSID. This requires user interaction. For older versions, users could disable automatic scanning for and connecting to Wi-Fi networks. The crash did not get a CVE code. Apple released iOS 14.7 this week, but in the release notes nothing specific about this leak.

You might also like
Exit mobile version