WiFi SSIDs in Apple iOS have a format string vulnerability

[sschueller]

Again? This happened a few years ago and you could crash iPhone with just setting a specific name. Lots of people went around running hotspots and crashing iPhone.

I would think Apple would learn from its previous mistakes.

[metahost]

Correct me if I am wrong but this appears to be a format string bug because of the %n at the end?

If someone could look at the crash and explain what is happening, it would be great! :)

[lorlou]

What are the chances this is a bug in the driver or some low level service?

[bellyfullofbac]

Does it matter?

He said he changed the SSID, so my guess would be as the iPhone tried to retrieve its list of previously connected SSIDs, it saw the evil SSID and crashed again...

So the UI probably does talk to a service, the UI said "Turn on WiFi and give me the list of networks you know" (maybe not in a single step), and the service crashed (huh, but why?), and the UI can only say "WiFi is off".

In a better OS there would be a "reset this service's configuration".

Off-topic: Emojis are allowed in SSIDs. I'm surprised no one has abused this yet, but I guess people just leave their SSIDs at LinkSys_BA69BE42 or similar.

[marcellus23]

> In a better OS there would be a "reset this service's configuration".

There literally is this option on iOS.

[reaperducer]

Emojis are allowed in SSIDs. I'm surprised no one has abused this yet, but I guess people just leave their SSIDs at LinkSys_BA69BE42 or similar.

Considering how many devices like printers, game machines, and IOT devices can't handle emojis, there's no good reason to use them unless you just want to make life harder for yourself.

[Animats]

Can this be made to happen in TestFlight or Xcode?

[EricE]

Always validate input.

ALWAYS.

[comex]

There’s nothing invalid about an SSID containing percent characters.

[olliej]

Better yet don’t put attacker controlled strings into format string arguments :-/