Wi-Fi Vulnerability in iOS Allows Remote Code Execution

A vulnerability in iOS that makes it possible to crash the Wi-Fi functionality of iPhones connecting to a particular Wi-Fi network also appears to allow remote code execution without user interaction. That's according to security company ZecOps . Apple already fixed the remote code execution portion of the vulnerability earlier this year.

Last month, security researcher Carl Schou showed how it is possible to crash the Wi-Fi functionality of iPhones when connecting to a Wi-Fi network called "%p%s%s%s%s%n". Because the Wi-Fi network name is stored, and iOS reads it when connecting to a Wi-Fi network, a loop can occur that makes the Wi-Fi functionality unusable.

Resetting the network settings, removing all names of previously saved Wi-Fi networks, appears to solve the problem. ZecOps researchers state that the underlying vulnerability can also be used to run code on vulnerable iPhones. To do this, simply add "%@" to the name of a Wi-Fi network. Like the Wi-Fi network name that Schou discovered, this causes a crash, but one that can lead to a use-after-free vulnerability and allow code execution.

According to ZecOps, the vulnerability can also be exploited for zero-click attacks, where no user interaction is required to perform the attack. In this case, an attacker would have to create a malicious Wi-Fi network name and wait for a victim to be nearby. IOS automatically tries to connect to nearby Wi-Fi networks.

The vulnerability has been present since the launch of iOS 14.0 and was fixed with iOS 14.4 released in January this year. However, the vulnerability was not assigned a CVE number. Furthermore, ZecOps claims that the underlying vulnerability has been partially fixed, so that Schou's attack still works against iOS 14.6. Users are advised to update to this version as it prevents the zero-click attack. It is also recommended to disable the WiFi auto-join feature.

Previous Post Next Post