Discovered by senior security engineer at Ant Financial Light-Year Security Labs Carl Schou, the bug can permanently disable iPhone’s Wi-Fi functionality after joining a network called “%p%s%s%s%s%n”. The feature stays disabled even after rebooting the device or changing the network’s name.
This weird vulnerability can lead to various implications, as threat actors could exploit it to plant suspicious Wi-Fi hotspots with the “%p%s%s%s%s%n” name to damage the iPhone’s wireless features.
Where does the “%p%s%s%s%s%n” Wi-Fi issue come from?
The issue originates from a string formatting bug in the way iOS parses the SSID input, creating a denial-of-service condition. According to a short technical analysis, “to trigger this bug, you need to connect to that WiFi, where the SSID is visible to the victim. A phishing Wi-Fi portal page might as well be more effective.”
Does the “%p%s%s%s%s%n” Wi-Fi bug affect Android devices?
So far, it seems that the problem can’t be re-created on Android devices. As for iPhones that have been affected, their owners should reset their iOS network settings by going to Settings > General > Reset > Reset Network Settings and confirming the action.
In March, security researchers discovered that Automatic Call Recorder, an iOS call recording application contained a bug that could give access to users’ conversations. The only thing needed to exploit the bug is providing the correct phone number. The vulnerability was reported by security researcher Anand Prakash, and is already fixed. The app itself is quite popular among iPhone users, ranked at number 15 in the Apple store’s Business category. Its popularity and widespread use could make the bug’s impact significant.
Shortly said, this bug could enable threat actors to eavesdrop on users’ call recordings from app’s the cloud storage bucket. An unauthenticated API endpoint leaked the cloud storage URL.