Days after an iPhone WiFi bug made it to the news, the same researcher found another vulnerability. This one, however, can disable the WiFi functionality almost permanently – which means it’ll require efforts to restore the device.
iPhone WiFi Vulnerability Permanently Disabling WiFi
Recently, Carl Schou has found another vulnerability that breaks the WiFi functionality of an iPhone.
Disclosing about it in his tweet, Schou stated that the glitch appeared upon renaming the WiFi SSID as “%secretclub%power” and trying to connect to it.
While this is similar to his previous findings where the bug appeared due to the SSID “%p%s%s%s%s%n” the difference lies in the impact of the two.
Specifically, restoring the device from the buggy state was easy with a quick network settings reset. However, after testing with the second bug, Schou couldn’t retrieve the iPhone’s WiFi functionality by resetting network settings.
You can permanently disable any iOS device's WiFI by hosting a public WiFi named %secretclub%power
Resetting network settings is not guaranteed to restore functionality.#infosec #0day— Carl Schou (@vm_call) July 4, 2021
Eventually, Schou had to contact the Apple device security team as it became impossible to restore the device.
How To Fix Disabled WiFi?
Once again, the problem seemingly lies with the “%s%p” in the WiFi SSID. Though, this is different from the previous glitch where the third “%s” appearance triggered the bug. Here, the SSID has only one appearance of “%s” at the beginning followed by a “%p” in the middle of the name.
According to the analysis by Saif and Alex Skalozub, the problem basically lies with the presence of “%s” in the SSID. However, what made the second discovery worse was the presence of a previous malicious SSID saved within the networks.
In simple words, what triggered this “permanent dos” was the existence of the previous malicious SSID “%p%s%s%s%s%n” within Schou’s device. Hence, the two saved malicious SSIDs made it impossible to restore the WiFi functionality by network settings reset.
To recover from this state, it requires the user to backup the device, and then modify the backup by manually deleting the malicious entries from the com.apple.wifi.known-networks.plist.
When trying this workaround, Saif had to use iMazing to fix the backup file corrupted due to the modification. Restoring the backup then enabled the WiFi again.
Following this discovery, Skalozub even put up a quick tool online that would automatically remove bad SSIDs.
Automatic bad SSID remover: https://t.co/mZPhULPjyp
Supports both encrypted and unencrypted backups. Not tested, use at your own risk ?
— Alex Skalozub (@pieceofsummer) July 6, 2021
Let us know your thoughts in the comments.