AppleInsiderissupportedbyitsaudienceandmayearncommissionasanAmazonAssociateandaffiliatepartneronqualifyingpurchases.Theseaffiliatepartnershipsdonotinfluenceoureditorialcontent.
AbuginthewayiOShandlesWi-Fihotspotnamesisapparentlyworsethanfirstthought,withonemalformedSSIDfoundtodisableWi-FiaccessonaniPhonecompletely,requiringafactoryresettorectifyit.
InJune,securityresearcherCarlSchoudiscoveredapersonalWi-Fihotspotnameof"%p%s%s%s%s%n"causesproblemsforiOSdevices.ItwasfoundthatiPhonessimplycouldn'tconnecttothehotspot,andinfactdisabledWi-Ficonnectivityinsomeinstances.
WhilethatissuecouldbefixedbyresetingthenetworksettingswithiniOS,SchouhassincediscoveredavariantalongthesamelinesthatcancausemoreharmtoanunsuspectingiPhone.AccordingtoSchouinatweetonSunday,usingtheSSID"%secretclub%power"candisableaniOSdevice'sWi-Ficapabilities,withnoguaranteethatanetworksettingsresetwillrestoreconnectivity.
YoucanpermanentlydisableanyiOSdevice'sWiFIbyhostingapublicWiFinamed%secretclub%powerResettingnetworksettingsisnotguaranteedtorestorefunctionality.#infosec#0day
—CarlSchou(@vm_call)July4,2021
SchouclaimstheiPhoneusedtoteststilldidn'thaveWi-FiafterrepeatedresetsofnetworksettingsandaforcedrestartoftheiPhone.TheresearcherhasalsocontactedApple'sdevicesecurityteamoverthematter,buthasyettohearanythingback.
Theoriginalbugwasbelievedtobeanissuewithinputparsing,wherethepercentagesigncouldbemisinterpretedbyiOSasastring-formatspecifier,namelythatcharactersfollowingthesymbolcouldbeconsideredavariableoracommandinsteadofplaintext.
WhilethenewSSIDdoesjokinglypromoteSecretClub,atechnologyexplorationgroupSchouisinvolvedwith,theuseofthepercentagesignsfollowedbythecharactersSandParemostlikelytheproblemareasforthehotspotnamebug.Analysisoftheissueconfirmsaformatstringbugisbehindit,thoughitdoesn'tseemtobeahighlyexploitablevulnerabilityforabadactor.
ItishighlylikelythattherearemanymorecombinationsoftextstringsthatcouldcauseproblemswithiniOSinthismanner,butonlyuntilthebugispatchedoutbyApple.Whilethecompanyisbeta-testingiOS14.7andiOS15,itisuncleariftheissuewillbefixedinthosereleasesbythecompany.
Forthemoment,AppleInsiderrecommendsusersdon'tconnecttounfamiliarWi-Fiaccesspoints,especiallyiftheyincludeunusualsymbols.
KeepupwitheverythingAppleintheweeklyAppleInsiderPodcast—andgetafastnewsupdatefromAppleInsiderDaily.Justsay,"Hey,Siri,"toyourHomePodminiandaskforthesepodcasts,andourlatestHomeKitInsiderepisodetoo.
Ifyouwantanad-freemainAppleInsiderPodcastexperience,youcansupporttheAppleInsiderpodcastbysubscribingfor$5permonththroughApple'sPodcastsapp,orviaPatreonifyoupreferanyotherpodcastplayer.
