iPhone Bug Allows Remote Device Takeover
A vulnerability in Apple iOS allows remote code execution. The assessment has been revised from a previous assessment of the flaw that was originally considered a low-risk, denial-of-service problem that affects iPhone's Wi-Fi feature. Apple fixed the original DoS issue with iOS 14.6 without issuing a CVE. When ZecOps researchers analyzed the flaw, they found that it could be used for RCE without any interaction with the victim. Furthermore, it also worked on fully patched iPhones.
Researchers are calling the attack method "WiFiDemon." A successful attack would allow a hacker to take over the phone, install malware and steal data. The flaw is expected to be patched in the next week according to some sources. The original issue was a string-format bug discovered by researcher Carl Schou, who found that connecting to an access point with the SSID "%p%s%s%s%s%n" would disable a device's Wi-Fi. String-format problems happen when operating systems mistakenly read certain characters as commands, in this case, the "%" combined with various letters. Rebooting the phone or changing the SSID re-enabled the wifi. It can be fixed by resetting the Wi-Fi feature in settings but it will wipes out all saved passwords.
A user would need to connect to a malicious access point for the bug to be exploited. But for earlier iPhone releases, there's no need to trick victims, the Auto Join feature is turned on by default on iPhones which allows them to automatically connect to available Wi-Fi networks in the background. A hacker would only need to set up an open, non-password protected, malicious SSID within range of the victim. Dirk Schrader, global vice president at New Net Technologies, predicted that the bug would inspire hackers to dig deeper into the inner workings of Apple's Wi-Fi stack to find out what, exactly, causes the behavior and how to exploit it. His predictions came true.
The RCE weakness exists within wifid, a system daemon that handles protocols associated with Wi-Fi connections. Wifid runs as root according to researchers. To exploit the bug, a hacker can set up a series of Wi-Fi hotspots with names containing "%@." The character combo is uniquely used by the Objective-C programming language for commands. The exploit uses an object in memory that has been released on the stack, alter the content of that memory using a spray method, and then use %@ to treat it as an Objective-C object. The exploit acts like a typical use-after-free vulnerability that could lead to code execution. Researchers created a proof-of-concept attack using a beacon-flooding approach for spraying. They used a $10 a wireless dongle and a Linux virtual machine to carry out the attack.
Apple hasn't issued a patch for the RCE part of the bug yet. But since this vulnerability was widely published, and relatively easy to notice, researchers are encouraging issuing a patch as soon as possible. In the meantime, users should disable the Wi-Fi Auto-Join feature via Settings->WiFi->Auto-Join Hotspot->Never. Also, iPhone users should avoid connecting to unknown Wi-Fi hotspots in general, and especially any that contain the "@" symbol to avoid the attack.