back to article It's 2021 and a printf format string in a wireless network's name can break iPhone Wi-Fi

Joining a Wi-Fi network with a specific sequence of characters in its SSID name will break wireless connectivity for iOS devices. Thankfully the bug looks to be little more than an embarrassment and inconvenience. On Friday, Carl Schou, a security researcher in Denmark, reported that his iPhone lost its Wi-Fi capability after …

  1. Sparkus Bronze badge

    Time to try a fresh honepot

    in the neighborhood. The old "FBI Surveillance Van' ssid just isn't doing it anymore......

    1. Anonymous Coward
      Anonymous Coward

      Re: Time to try a fresh honepot

      At first glance I thought it had read "%p%o%i%s%o%n". (I'm surprised the investigators didn't try that)

      Somehow I think that SSID name would also get lots of attempts by the same people who'd try "FBI Surveillance Van".

      I also think a lot of people will also be (temporarily) changing SSID names just to poke the iPhone fans.

    2. chivo243 Silver badge

      Re: Time to try a fresh honepot

      My cousin has that one too!

      1. Paul Kinsler Silver badge

        Re: Time to try a fresh honepot

        Is that like when you leave a temptingly sharp axe next to a flagpole flying the Union Jack? :-)

        .

        \cite{NZ}

        1. Paul Kinsler Silver badge

          Re: Time to try a fresh honepot

          Downvotes? It would seem that the events of 1845 in Kororāreka (Russell) are still far too fresh in the minds of some around here. I can imagine Chief Heke being quite pleased that his actions still resonate today.

    3. Anonymous Coward Silver badge
      Paris Hilton

      Re: Time to try a fresh honepot

      "Bathroom camera" caused a bit of concern in the university dorms...

      1. Strahd Ivarius Silver badge

        Re: Time to try a fresh honepot

        So time to try %Bathroom %Camera %System ?

    4. elsergiovolador Silver badge

      Re: Time to try a fresh honepot

      What would FBI surveillance van be doing in Bradford?

      1. Anonymous Coward
        Anonymous Coward

        ...

        Spying on the FBI, of course.

    5. Version 1.0 Silver badge
      Joke

      Re: Time to try a fresh honepot

      %Bitcoin would be a good honeypot ...

  2. Kevin McMurtrie Silver badge

    How wide?

    The NSString documentation isn't clear on what parts of the printf spec it supports. If it supports padding to 2000000000 characters, it just might do some damage.

    (Browsing through code samples reminds me that dropping MacOS development from my career because of Objective C was a good call)

    1. bombastic bob Silver badge
      Unhappy

      Re: How wide?

      not just width but unspecified parameters too?

      Like "%.*g" repeated a bunch of times...

  3. Red Ted Silver badge
    FAIL

    I never thought I would use the phrase…

    Oh My God and really mean it!

    That is just awful.

  4. HildyJ Silver badge
    WTF?

    When?

    Did programmers decide it was too much trouble to have a program check its inputs?

    %s%s%s my %a%s%s

    1. DS999 Silver badge

      Re: When?

      They don't need to have it check its inputs, they need to have it do printf("%s", SSID_NAME") instead of printf(SSID_NAME)

      1. Anonymous Coward
        Anonymous Coward

        Re: When?

        I think i'd use print(SSID_NAME) personally then you don't need to worry about the next developer coming along and changing it back after they think to themselves wtf without understanding why.

        1. Vic Not 20

          Re: When?

          And on the 1st day after the hackathon ${deity} invented comments...

  5. JWLong Bronze badge

    StarBucks

    Free coffee would never be an issue there.

    1. Stoneshop Silver badge
      Mushroom

      Free coffee would never be an issue there.

      For reasons strongly related to the word 'coffee'.

      Hot brown fluid that may or may not have originated in the vicinity of a ground coffee bean, and weirdly and liberally adulterated with non-coffee flavourings, would be a more fitting description.

      1. David 132 Silver badge

        Re: Free coffee would never be an issue there.

        To paraphrase Douglas Adams - a liquid almost, but not quite, entirely unlike coffee.

      2. NXM

        Re: Free coffee would never be an issue there.

        Couldn't agree more. I got some of their 'coffee' once and took it back because it tasted like grilled cardboard in hot water. The replacement wasn't any better.

  6. Anonymous Coward
    Anonymous Coward

    Discovered a very similar bug in Yahoo! code on my first day working there, back in 1999. Should have taken that as a warning and quit there and then...

  7. Claptrap314 Silver badge
    Mushroom

    In what world

    does it make sense to parse an SSID as a scanf specifier?

    I. DO. NOT. CARE. if this can be exploited or not. This is like the systemd random fiasco. It is an utter failure of the most basic rules of programming that it calls into question any claims relating to the platform at all.

    1. Brian Scott

      Re: In what world

      probably a printf rather than a scanf (that we know about) but that is just quibbling about the degree of stupidity rather than the fact.

      Otherwise, agree 100%

    2. 2+2=5 Silver badge

      Re: In what world

      Not an excuse but an observation.

      The Apple documentation for NSString shows that it has about 30 gazillion methods, and calls onto Core Foundation code for some of its functionality - and the bug could be in any of the code because, as a developer, you have no idea which methods call what without installing a debugging version of the NSString library and stepping through it all yourself.

      OO programming was supposed to simplify things: it seems to have stopped doing that.

      1. Julz Silver badge

        Re: In what world

        OO was never about simplification. It just matched some problems, crucially UIs, better than other methodologies.

      2. DS999 Silver badge

        Re: In what world

        Anything that encourages more code reuse also encourages not knowing exactly what the code you constantly reuse does behind the scenes. Like many things, its a tradeoff.

        At least one thing in the "favorable" column of the tradeoff is that if a bug is discovered in code that is reused in many places, it only needs to be fixed once. If everyone is reinventing the wheel, many bugs will need to be fixed over the years.

  8. JassMan Silver badge
    Trollface

    So what happens if...

    You set up a wifi hotspot on your non iPhone and walk into an apple store?

    Just asking - not that I would EVER dream of doing such a thing.

    1. Brian Scott
      Trollface

      Re: So what happens if...

      Also, don't have a password so most of them will auto-join without asking.

      Not that I'm giving technical advice or anything because no one would ever dream of doing such a thing.

      1. Erix

        Re: So what happens if...

        Just tried to create an open hotspot named "R%s%s%s" on my Android. The iPhone 8 (14.6) sitting next to it does not auto-connect to it. When trying to connect manually the iPhone says "Unable to join the network" and then WiFi turns itself off and cannot be turned back on again until the iPhone is restarted.

        So much for the apple store idea. If you could get it to auto-connect then this could indeed wreak havoc in the turtle-neck department.

        1. JassMan Silver badge

          Re: So what happens if...

          So using a bit of phishing psychology such as a hotspot called %secret Discount Voucher %storage %server would educate a load of fanbois in 2 facts of life at the same time.

        2. Robert Carnegie Silver badge

          Re: So what happens if...

          I have Auto Join = Ask, and Ask To Join = Notify, so I don't join strange networks. There was an episode of Doctor Who where you do that and the wifi eats you or something.

          Since I encountered something called Wifi Max I think which auto joins anyway, I usually turn off wifi when I'm out.

    2. low_resolution_foxxes Silver badge

      Re: So what happens if...

      Does it fail on scanning and detecting the wifi, or specifically when you connect?

      %F%R%E%E% WIFI

      ?

      I mean heck, if you could find some way of sellotaping a wifi hotspot to the wall for a few days..

      Ahem. Subject to the laws of your region.

  9. John Brown (no body) Silver badge

    "I don’t believe it is exploitable,"

    Famous last words?

    It does sound very unlikely that this might be an actual security vuln, but then so many previous ones have also been "very difficult or impossible" to exploit too. Especially when one exploit is linked to others. Maybe some hacking group or TLA out there is going "Oh crap, that was one of our better ones too!"

    1. mevets Bronze badge

      Re: "I don’t believe it is exploitable,"

      Try this on a little endian machine. It shouldn't do anything bad, but might give a hint about exploitable....

      ```

      #include <stdio.h>

      main() {

      char targ[100] = {0};

      FILE *fp = fopen("/dev/null", "w+");

      fprintf(fp, "%1953460082.1953460082s%n", "", targ);

      fclose(fp);

      printf("%s\n", targ);

      }

      ```

    2. Robert Carnegie Silver badge

      Re: "I don’t believe it is exploitable,"

      Anyway a lot more people are thinking about how to exploit it now...

  10. Gene Cash Silver badge

    Cyrillic will crash some Androids

    So I named my 2.4 & 5 GHz with the Russian for "Soyuz" and "Progress" written in Cyrillic.

    OpenWRT has no issue, but some of my friend's phones crashed trying to scan.

  11. A Non e-mouse Silver badge
    Facepalm

    Repeat after me:

    Never trust user input.

    1. Paul Crawford Silver badge

      Also after me:

      Use static code analysis tools, and actually deal with the gcc -Wall checks

  12. Ken Moorhouse Silver badge

    One way to exploit this...

    A big notice which says:-

    Free WiFi

    Use these credentials...

    Any problems, please ring <scam paradise ltd> for free support.

  13. %p%s%s%s%s%n

    I feel pretty confident that El Reg forum software, at least, survives printf formatters. Considering the mindset of the regular commenters it will have been thoroughly battle-tested...

    1. A Non e-mouse Silver badge

      I'm sure Bobby Tables has attempted to sign up multiple times over the years

  14. debater

    Anyone who makes WiFi low-level software

    Anyone who makes WiFi low-level software: this is one to add to your automated test suites, please. Pretty please.

    (Shameless plug: unless, of course, you use Ada to write your critical software :-)

    (You know, the International Standard programming language that was _designed_ for writing safety-critical software.)

    (And even then, of course, still add it to your automated test suites, since even Ada software has to call into stuff sometimes.)

  15. X5-332960073452
    Coffee/keyboard

    Thank you

    Apple did not respond to a request for comment. We haven't heard from anyone there in a while. We hope everyone in the company's uncommunicative communications group is okay.

    1. Robert Carnegie Silver badge

      Re: Thank you

      They're having network problems...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021