Security researchers say Apple quietly patched a format-string bug in the wi-fi feature of its iOS mobile operating system that required no user interaction such as clicking for attackers to exploit and run arbitrary code on target devices.
The flaw has been named WiFiDemon by security vendor ZecOps.
ZecOps said it was patched by Apple in iOS 14.4, having been around since iOS 14.0.
Apple did not assign a Common Vulnerabilities and Exposures (CVE) index to the bug, which was reported to the company by an anonymous researcher.
Exploiting the bug requires iOS to be set to the default Auto-Join WiFi networks, a convenience feature that ZecOps now suggest users should disable.
Originally, it was thought that users needed to be tricked into connecting to wi-fi networks with strange Service Set Identifiers (SSID) names like %s%s%s to exploit them, something that ZecOps thought was unlikely to happen.
However, further analysis by ZecOps suggests that by simply leaving wi-fi urned on and the device in proximity to a malicious access point, the WiFiDemon vulnerability can be exploited with no user interaction required.
Such attacks could be hard to spot, ZecOps noted.
"This zero-click vulnerability is powerful: if the malicious access point has password protection and the user never joins the wi-fi, nothing will be saved to the disk," the researchers wrote.
"After turning off the malicious access point, the user’s wi-fi function will be normal.
"A user would hardly notice if they have been attacked."
The first details of a related bug were made public on June 19 this year when researcher Carl Schou posted that joining a wi-fi access point with the SSID set to %p%s%s%s%s%n would crash and disable his iPhone's wireless network functionality, leading to a denial of service attack scenario.
Another researcher, Perry Lorimer, pointed to the %n format string which Apple has now removed support for.
%p is output a pointer.
— Perry Lorier (@isomer) June 18, 2021
%s is output a null terminated string.
And %n is nasty: it's write the number of bytes so far into the argument.
C doesn't check that there are arguments for this and that they are the right type. So if you have more % than args then it'll probably crash
Lorier told iTnews that %n "is dangerous as it instead overwrites a variable with how many bytes have been output so far, [and] if used incorrectly it can trivially corrupt memory."
Restoring wi-fi functionality requires a network settings reset to stop the wifid process from trying to read the problematic SSID from a file written to iOS system storage.
