Security researcher Carl Schou discovered a bug in Apple's iOS that can disable an iPhone's ability to connect to hotspots after joining a WiFi with the SSID "%p%s%s%s%s%n."
Schou tweeted, "after joining my personal WiFi with the SSID "%p%s%s%s%s%n", my iPhone permanently disabled its WiFi functionality. Neither rebooting nor changing SSID fixes it :~)."
After joining my personal WiFi with the SSID “%p%s%s%s%s%n”, my iPhone permanently disabled it’s WiFi functionality. Neither rebooting nor changing SSID fixes it :~) pic.twitter.com/2eue90JFu3— Carl Schou (@vm_call) June 18, 2021
Schou told BleepingComputer that he conducted the test on an iPhone XS, running iOS version 14.4.2. BleepingComputer confirmed the test on an iPhone running iOS 14.6. They said the iPhone's wireless functionality would break after connecting to %p%s%s%s%s%n.
What this looks like is a format string bug issue, which is unusual these days. After the iPhone connected to the strangely worded hotspot, the smartphone failed at connecting to other hotspots. Android devices connected to the hotspot but didn't experience the same problem as iPhones.
A bug like this could be exploited by criminal actors who create unsecured WiFi hotspots called %p%s%s%s%s%n in a populated area and would wreak havoc on iPhone users trying to connect.
BleepingComputer says this is a "string formatting vulnerability."
Other security researchers who saw Schou's tweet and analyzed the crash report believe that an input parsing issue likely causes this bug.
When a string with "%" signs exists in WiFi hotspot names, iOS may be mistakenly interpreting the letters following "%" as string-format specifiers when they are not.
In C and C-style languages, string format specifiers have a special meaning and are processed by the language compiler as a variable name or a command rather than just text.
For example, the following printf command does not actually print the "%n" character but stores the number of characters (10) preceding %n into the variable "c."
The "%n" is merely a format specifier and not an actual text string. As such, the output of the following line will simply be "geeks for geeks," with no mention of "%n."
The good news is there's a fix that requires a reset of iOS network settings.
While this bug is not widely known yet, imagine if malicious actors set up fake hotspots across dense metro areas and caused a WiFi crisis among iPhone users... Apple should really look into this bug.