WiFiDemon – iPhone Zero-click Wifi Hacking Flaw Can be Used to Execute Remote Code

Recently the mobile security experts at zecOps have discovered a bug in the iPhone last month that intrudes wireless connectivity when it gets connected to an access point with a specific name.

This bug was dubbed as WiFiDemon, and it is a remote code execution vulnerability, and for implementing operation it does not require any kind of user intervention.

Wi-Fi-Demon

Wi-Fi is the key factor for the smartphone, and wifid is a daemon that manages protocol connected with a Wi-Fi connection and it operates as a root.

According to the report, it says that wifid is a very delicate daemon that may guide the whole system to compromise. During the investigation, the security researcher, Carl Schou detected that wifid has an issue of format string while handling SSID.

The Bug Was Worse Than it Was Assumed

Before proceeding further, let me justify the above heading, in short, this flaw works even when the screen is off. There is a lot of things that have been found in this bug, and the cybersecurity researchers noted that the bug can be a trigger as a zero-click, and it also has the potential to execute remote code.

The security experts are trying to find another method for exploiting the vulnerability, as per the report, the analysts have used “%@,” which is a format specifier for distribution and formatting targets in Objective-C, which is the programming language for iOS software. 

Analysis of a Zero-Click WiFi Vulnerability

After investigating the whole matter, the analysts came to know that wifid has intriguing logs when it is not linked to any wifi. However, all these logs carry SSID, which intimates that they may be hit by the corresponding format string bug. 

The security analysts have tested and confirmed that it has been affected by the same format string bug, which implies that it is a zero-click vulnerability and can be activated without an end-user connecting to a newly named wifi.

Lastly, the researchers have also proposed that until and unless this bug is not getting fixed permanently, avoid joining to any public WiFi networks or any hotspots,  as doing so will help you to stay protected from this type of security flaw.

Necessities to the WiFiDemon 0-Click Attack

  • It needs the WiFi to be admissible with Auto-Join
  • The vulnerable iOS Version is applicable for 0-click: Since iOS 14.0
  • The 0-Click vulnerability was reinforced on iOS 14.4

Mitigation:-

  • Initially update to the latest version, 14.6, as it bypasses the risk of WiFiDemon in its 0-click form.
  • Always prefer disabling WiFi Auto-Join Feature through Settings –> WiFi –> Auto-Join Hotspot –> Never.
  • Conduct risk and trade-off assessment in your mobile/tablet security utilizing ZecOps Mobile EDR in case you infer that you have been targeted.

Necessities to the WiFi 0-Day Format Strings Attack

However, the WiFi format strings were seen to be a remote code execution, and while joining a malicious SSID the experts have noted it. 

Mitigation:-

  • Don’t get associate with unknown Wi-Fi networks.
  • Through Settings –> WiFi –> Auto-Join Hotspot –> Never try to disable the WiFi Auto-Join feature.
  • In case you assume that you have been targeted then quickly conduct risk and trade-off assessment to your mobile/tablet security.
  • The vulnerability is a 0-day, and the iOS 14.6 is vulnerable when correlating to a specifically crafted SSID.
  • Lastly, wait for an authoritative update by Apple and implement it as soon as possible.
Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Silver Fox APT Hackers Target Healthcare Services to Steal Sensitive Data

A sophisticated cyber campaign orchestrated by the Chinese Advanced Persistent Threat (APT) group, Silver Fox,…

2 hours ago

Ghostwriter Malware Targets Government Organizations with Weaponized XLS File

A new wave of cyberattacks attributed to the Ghostwriter Advanced Persistent Threat (APT) group has…

3 hours ago

LCRYX Ransomware Attacks Windows Machines by Blocking Registry Editor and Task Manager

The LCRYX ransomware, a malicious VBScript-based threat, has re-emerged in February 2025 after its initial…

3 hours ago

Threat Actors Using Ephemeral Port 60102 for Covert Malware Communications

Recent cybersecurity investigations have uncovered a sophisticated technique employed by threat actors to evade detection…

3 hours ago

App with Over 100,000 Downloads from Google Play Steals User Data and Blackmails

A financial management app named Finance Simplified has been revealed as a malicious tool for…

3 hours ago

Poseidon Mac Malware Hiding Within PKG Files to Evade Detections

A recent discovery by cybersecurity researchers has revealed that the Poseidon malware, a macOS-targeting trojan,…

3 hours ago