Unpatched iPhone Bug Allows Remote Device Takeover

2021-07-19 21:31

The original DoS issue is a string-format bug discovered by researcher Carl Schou, who found that connecting to an access point with the SSID "%p%s%s%s%s%n" would disable a device's Wi-Fi. String-format problems occur when operating systems mistakenly read certain characters as commands: In this case, the "%" combined with various letters.

"My iPhone permanently disabled it's [sic] Wi-Fi functionality," Schou wrote in his writeup, in June.

For earlier iPhone releases, there's no need to lure a victim in: The Auto Join feature is turned on by default on iPhones, allowing them to automatically connect to available Wi-Fi networks in the background.

At the time of Schou's writeup, Dirk Schrader, global vice president at New Net Technologies, predicted that the bug would inspire threat actors to dig "Deeper into the inner workings of Apple's Wi-Fi stack" to find out "What, exactly, causes the behavior and how to exploit it." That prediction turned out to be true.

ZecOps researchers explained that while further probing the bug, they discovered that an RCE weakness exists within "Wifid," a system daemon that handles protocols associated with Wi-Fi connections Wifid runs as root, researchers said.

Apple hasn't issued a patch for the RCE part of the bug.

News URL

https://threatpost.com/unpatched-iphone-bug-remote-takeover/167922/

#iphone #takeover