A security researcher has discovered that creating a public network called ‘%secretclub%power’ can disable any iPhone’s WiFi capabilities - with one only one, niche, solution.
Software engineer Carl Schou revealed on Twitter that the network name completely disables the device connecting, and cannot be reset when rebooting the device or resetting the iPhone’s network settings.
To restore functionality, users would have to manually edit an iPhone backup and remove the malicious network name from within the files in iOS and macOS.
The bug occurs because “the wifi component puts the WiFi name into a string, which is later passed to a format function when it logs some debug information internally to the device”, Schou told The Independent.
“This causes the format function to look for strings (%s) and pointers (%p) that do not exist. The string format specifier causes a ‘null pointer dereference’, as it tries to read a string from non-existent memory”.
This is not the first strange WiFi error Schou has found. Last month, he discovered that iOS devices are not able to join WiFi networks with names such as “%p%s%s%s%s%n”, with the issue also stopping local network features like AirDrop.
It is unclear why exactly this bug happens but 9to5Mac hypothesised that because a percentage sign followed by a letter is used in programming languages to format variables (names that hold values) into an output string – a series of characters used to store information, similar to a sentence in English.
In the programming language C, “%n” is a specific term that saves the characters written in the string to a variable that is passed onto a string format function. It is likely that the WiFi system on iPhones and iPads passes the network name (the ‘Service Set IDentifier’ or SSID) to an internal library that is performing string formatting, which causes an arbitrary memory write (taking information and moving it somewhere else) and buffer overflow.
Arbitrary memory is memory in the device’s local system, which is reformatted by the string, while a buffer is a process that lets a device operate a process without affecting other processes. If this is ‘overflowed’ it means that the command is also writing to other areas it should not be.
Although this is a very unlikely series of events to happen, there is a way to fix it if it does: the iPhone ‘Reset Network Settings’ option allows users to reset all saved WiFi passwords, which removes the name – and its effects - from its memory.
Apple did not respond to a request for comment about the bugs before time of publication.