-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2025-018 Product: iOS and iPadOS Manufacturer: Apple Inc. Affected Version(s): iPadOS/iOS 18.4 and before, iPadOS 17.7.6 and before Tested Version(s): 16.7.10 (on iPhone 8) and 18.3.1 (iPhone SE 2022) Vulnerability Type: Missing Authorization (CWE-862) Risk Level: Low Solution Status: Fixed in iOS/iPadOS 18.5 and iPadOS 17.7.7 Manufacturer Notification: 2025-02-28 Solution Date: 2025-05-12 Public Disclosure: 2025-11-21 CVE Reference: CVE-2025-31216 Author of Advisory: Thibaud Kehler, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: iOS is an operating system devoloped by Apple for its iPhones, which is a line of smartphones also developed and marketed by Apple.[1] Apple operation system supports a mobile device management that Apple describes as follows (see [2]): "A device management service lets an administrator securely and remotely configure devices by sending configurations, profiles and commands to the device, whether it is owned by the user or your organisation. Capabilities include updating software and device settings, monitoring compliance with organisational policies, and remotely wiping or locking devices." This includes pushing a write-protected Wi-Fi profile including SSID, password, and other security configurations. Due to missing authorization in the Camera app, users can use QR codes to overwrite managed Wi-Fi profiles. In combination with social engineering or phishing, this vulnerability can be used to promote evil twin attacks, gaining access to a machine-in-the-middle (MitM) position. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Networks managed via mobile device management are supposed to be write- protected in order to impede several attacks against Wi-Fi, for example evil twin attacks. Hovewer, the functionality of the Camera app to join a Wi-Fi network by taking a picture of a QR code enables unsuspecting users to overwrite the managed Wi-Fi profile and thus join a potentially malicious Wi-Fi network. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): First, disconnect from the managed Wi-Fi network, for example "CorporateNetwork", by 1. disabling "Auto-Join" in the Wi-Fi profile and 2. turning Wi-Fi off and on again. Generate a QR code to join a Wi-Fi network with the same SSID, but with a different password, e.g. via qrencode "WIFI:T:WPA;S:CorporateNetwork;P:someotherpassword;;" -o - -t UTF8 Next, open the Camera app, focus on the QR code and click on the toast notification. Confirm the dialog "Join Wi-Fi Network 'CorporateNetwork'" by clicking on "Join". After several seconds, the connection attempt is aborted with an error message: "Unable to join the network 'CorporateNetwork'". Afterwards, the original Wi-Fi profile no longer works. In the view "Edit Wi-Fi Networks", it is no longer listed as "Managed Network" and can be removed completely. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update iOS to version 18.5 or newer. Update iPadOS to version 17.7.7 or 18.5 or newer. More information: https://support.apple.com/en-us/122404 https://support.apple.com/en-us/122405 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2025-02-25: Vulnerability discovered 2025-02-25: Vulnerability reported to manufacturer via https://security.apple.com/ 2025-05-12: Patch released by Apple 2025-11-21: Public disclosure of the vulnerability 2025-11-26: Security advisory published by SySS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for iOS https://www.apple.com/os/ios/ [2] Article "Intro to mobile device management profiles" https://support.apple.com/en-gb/guide/deployment/depc0aadd3fe/web [2] SySS Security Advisory SYSS-2025-018 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-018.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] Security advisory of the manufacturer about iOS 18.5 and iPadOS 18.5 https://support.apple.com/en-us/122404 [5] Security advisory of the manufacturer about iPadOS 17.7.7 https://support.apple.com/en-us/122405 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Thibaud Kehler of SySS GmbH. E-Mail: thibaud.kehler@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Thibaud_Kehler.asc Key ID: 0xE9C79866B6457D7A Key Fingerprint: CF29 54F1 1B7F 2FF5 7ED9 9BAD E9C7 9866 B645 7D7A ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 4.0 URL: https://creativecommons.org/licenses/by/4.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEzylU8Rt/L/V+2Zut6ceYZrZFfXoFAmklxLwACgkQ6ceYZrZF fXrXSg//S8lPv+/i85CulwFXcJrPvQIZifwssVNcxLzC0k4aZmNPn9wXtjzqsFaK ZwCwM7z7RVOLer2xgctYO2nfnNTar9WYBKatEb68W2yMpe7IWwXVBCRPWnnpV9Dp N5QuEYoNfTW0zuVcPp4OGIIwEDsCJUmtyUtYhg2HkF20ZhyhNo81oE1Fj1GS/aTp N1UKjlIBYl7lsqnqJLE8gibk966pNzjXcv10sp72D1B628QIwEQETZ1Vtzx0ZeUv kFFsylLvWGDyTH5WqgYNCxV3hfWwGXRwThP7nvYAvGOoAxXKTLR14zCUCUbpj2LO lziA+93qQr6Oyta1Pms0ECY/NIBocaoD/IJo55EKitX3bAmCuhZPx60/ese23L5O SeWvCKL+Ts/EbKDmzBC094nLWs8gpQ+Xf0jAIQ1iAZ8EbqiM6q1Rc3WujlS93s4j jSQYJCptVYRoHq1h0bY+lPxG8GmKiL3NNvzFg7ya0MzYRpLjY4Zl9lsG6TsAIXao Qa5n/01unzY87w9EMitohCYN3+vekQ/fE+NazyK5U2g5GfmLzuMVCiUCBDzkUW2b HW77UeF4D7srwtCNMeL5VhHby3CzZTqTxdckY1c2csJPTX/jOoxbZ4A46jSX9kx+ I00itLhsan4b/WTMp/33W2MVGJLcYcdo+KrxTCNyz2nmPWEUSLI= =o4OO -----END PGP SIGNATURE-----