Security News > 2021 > July > Researchers: Apple Quietly Patched 0-Click Wi-Fi Code Execution Vulnerability in iOS
Apple in early 2021 quietly patched an iOS vulnerability that could lead to remote code execution when connecting to a Wi-Fi access point that had a specially crafted SSID. The issue was initially brought to light last month, when reverse engineer Carl Schou discovered that the Wi-Fi functionality on his iPhone would completely crash when connecting to a hotspot that had the SSID "%p%s%s%s%s%n.
The issue, which impacts all iOS devices running iOS 14.0 to 14.6, was deemed to be a format string bug, where iOS is considering the characters that follow "%" as string-format specifiers, meaning that they are processed as commands, rather than text.
To achieve remote code execution, the researchers say, the targeted device needs to have WiFi enabled and set to Auto-Join, for the device to be running a vulnerable iOS version, and for it to be in the proximity of a Wi-Fi access point that has a tailored name to trigger the bug.
An attack exploiting the vulnerability leverages the fact that an iOS device scans WiFi to join roughly every 3 seconds when the device is in use, or anywhere between 10 seconds to more than 1 minute if the screen is off.
Thus, an attacker could create a malicious access point, launch a beacon flooding attack against the target device, cause the device's Wi-Fi to crash and re-spawn, control the content of the stack to trigger a use-after-free and leverage it for remote code execution.
Apple silently patched the vulnerability in iOS 14.4, without assigning a CVE. However, the bug can still be abused to crash the Wi-Fi on devices running iOS 14.0 to iOS 14.6, leading to a denial of service condition, the researchers say.