WiFiDemon – iPhone Wi-Fi bug could also enable RCE

Carl Schou, a researcher, uncovered a new WiFi bug in June that can permanently disable iPhone users’ WiFi by disconnecting it.


The WiFi bug can be triggered by merely connecting to a rogue hotspot.


Even if the iPhone is rebooted or the WiFi hotspot is renamed, it will no longer be able to connect to a Wi-Fi device once it has established a WiFi connection to a corrupt hotspot.


Schou discovered the problem after experiencing difficulties entering onto his personal WiFi hotspot named %p%s%s%s%s%n on his iPhone running iOS 14.4.2, but the expert also discovered that the bug affects iPhone XS users using iOS 14.4.2.


In a hypothetical attack scenario, if a threat actor sets up an open rogue WiFi hotspot in a crowded area, such as a hotel hall or a train station, this flaw might have a significant impact.


Resetting the network settings of the affected iPhone was the only option to restore Wi-Fi functionality.


The bug could be triggered by a parsing issue in the Wi-Fi settings, according to independent security researchers.


The letters following the character ” % ” may be misinterpreted by Apple iOS as string-format specifiers rather than part of the name of the individual hotspot.


The only method to restore a device is to follow these simple steps to reset your iOS network settings:

  • Select General from Settings on your iPhone.
  • Choose Reset.
  • When you choose ‘Reset Network Settings,’ the device will reboot and the network settings will be reset to factory defaults.


With the release of iOS 14.7, Apple will most likely fix the vulnerability.


By appending the string pattern “% @” to the Wi-Fi hotspot’s name, researchers from mobile security firm ZecOps discovered that this vulnerability may be exploited to achieve remote code execution (RCE) on target devices.


They labeled the vulnerability WiFiDemon and said it’s a zero-click vulnerability that might allow attackers to infect a device without the user’s knowledge.


The sole requirement for exploiting the flaw is that the WiFi be activated with Auto-Join (which is enabled by default).



“As long as the WiFi is turned on this vulnerability can be triggered. If the user is connected to an existing WiFi network, an attacker can launch another attack to disconnect/de-associate the device and then launch this 0-click attack.” states the report published by the experts. “This 0-click vulnerability is powerful: if the malicious access point has password protection and the user never joins the wifi, nothing will be saved to the disk. After turning off the malicious access point, the user’s WIFI function will be normal. A user could hardly notice if they have been attacked.”


The RCE issue was present in iOS versions prior to iOS 14.3, starting with iOS 14.0. According to experts, Apple “quietly” corrected the problem in January 2021 with the release of iOS 14.4.


“However, since this vulnerability was widely published, and relatively easy to notice, we are highly confident that various threat actors have discovered the same information we did, and we would like to encourage an issuance of a patch as soon as possible.” concludes the report.


To keep their devices secure, iPhone and iPad users must update to the latest iOS version.


You might also like:


This bizarre iOS bug can completely disconnect your Wi-Fi

Pegasus Project – Spyware used to target journalist, activists and others