Malicious iPhone Wi-Fi attack is now more dangerous than ever
Last month we told you that reverse engineer Carl Schou discovered that when trying to connect an iPhone to a Wi-Fi hotspot titled "%p%s%s%s%s%n," the phone's Wi-Fi became disabled, and even renaming the hotspot didn't help. Resetting the phone's network sittings seemed to work. That is accomplished by going to Settings > General > Reset > Reset Network Settings > Confirm.
Forbes, Schou has since discovered that there is a way for bad actors to increase the damage done by the hack to the point that getting Wi-Fi up and running again requires a custom factory reset while the iPhone's back up file is manually edited to remove entries that create problems. There had been concerns that the hack, known formally as a format string flaw - could be enhanced to do even more damage. The goal for the bad actors is to use the attack to place malicious code onto handsets and even entire networks.According to
Novelty iPhone Wi-Fi hack morphs into a more dangerous malicious attack
Originally, iPhone users weren't too concerned because they would have to be connected to a weirdly named Wi-Fi network in order to get hacked and truthfully, how many of us will connect to a Wi-Fi network named "%p%s%s%s%s%n." However, it is possible that the strange Wi-Fi network name can be converted into a regular, legit network moniker that could trap iPhone users into believing that they are connecting to a legitimate Wi-Fi network.
Amichai Shulman, CTO of wireless security specialist AirEye, stated that "Our research team was able to construct the network name in a way that does not expose the user to the weird characters, making it look like a legitimate, existing network name." That is a big deal because without the flashing red light of a network named %p%s%s%s%s%n warning an iPhone user to stay away, they could easily find themselves syncing with a malicious Wi-Fi network.
If the malicious attackers can spoof legit hotspots that are used nationwide, iPhone owners won't be able to tell whether they are connecting to a Wi-Fi network helping them connect to the internet, or connecting to a hacker's trap that shuts down their Wi-Fi connection.
After joining my personal WiFi with the SSID “%p%s%s%s%s%n”, my iPhone permanently disabled it’s WiFi functionality. Neither rebooting nor changing SSID fixes it :~) pic.twitter.com/2eue90JFu3— Carl Schou (@vm_call) June 18, 2021
Shulman says, "Since the attack traffic is not part of the corporate network, Firewalls, NACs and Secure WLANs do not protect against this type of attack and most traditional network security solutions remain completely oblivious to it. Attack traffic can be sent over channels that are not used for corporate network traffic. Consequently, the attack goes undetected by network security solutions and does not leave any trace in the forensics and networking logs."
Will Apple push out a patch in the upcoming iOS 14.7 build currently being beta tested?
Amichai adds that Apple's MacBooks could also be vulnerable and format string flaws can also be created for devices running Android, Windows and Linux. "Airborne attacks are new and an as-yet unaddressed threat vector. Given their stealthy nature we're bound to see more such attacks," the chief technical officer says.
Apple really does need to put an end to this quickly and the best way to do that would be to disseminate a patch that would stop this malicious hack right in its tracks. Apple has been beta testing iOS 14.7 and perhaps it isn't too late to add the patch to the final version of iOS 14.7. Until this hack is definitively killed off, you will have to be suspicious of Wi-Fi networks that you've never safely connected to before.
All Apple iPhone models running iOS 14 are considered at risk.