On The Recently Discovered iOS “Schou” Networking Bug

Earlier this week, news broke of a strange networking issue that can permanently disable all WiFi activity on iOS devices. It’s currently known to affect iOS 14 only, and can cause quite a mess. The news was originally revealed by reverse engineer Carl Schou (via BleepingComputer (story sourced via MacTrast), and while there was originally very little information revealed about the issue or how it functions, we decided to put our research hats on and see what we could discover.

On iOS 14, the problem can be quickly fixed by performing a network reset – but all is not quite as well as it seems. Here’s what we found.

After joining my personal WiFi with the SSID “%p%s%s%s%s%n”, my iPhone permanently disabled it’s WiFi functionality. Neither rebooting nor changing SSID fixes it :~) pic.twitter.com/2eue90JFu3

— Carl Schou (@vm_call) June 18, 2021

• The issue also affects iOS 15 developer beta
• Resetting network settings does NOT resolve the issue in iOS 15 developer beta 1
• Restoring a device and setting it up again as new on iOS 15 resolves the issue, but restoring from an iCloud backup (even one from before you attempt to connect to the unusually named network) causes the device to brick about 30-60 minutes into the iCloud restore process.

We went to great lengths to find a usable workaround, including trying out different network names, and even an entirely different router, but to no avail: every time we restored from the iCloud backup, things quickly got locked up again. But the real question was: why? And given that the issue recurs so quickly, what could possibly work around it?

This led us to a few additional paths, in which we learned the following:

• The issue appears to utilize Keychain on the device, which, regrettably, causes whatever allows the bug to function to upload into iCloud as well.
• It’s unclear why a network reset works on iOS 14, but not iOS 15
• iOS 15 utilizes iCloud in different and novel ways than iOS 14
• Therefore, either the network reset mechanism doesn’t work correctly in iOS 15, or the bug somehow affects iCloud-based Keychain data, or both.

And something especially intriguing:

• When we disabled our wireless network entirely, the issue swiftly fixed itself, only to recur as soon as we booted the WiFi back up.

Which made us wonder…was iCloud somehow remembering the router’s MAC address? Or could the router have something specific to do with the issue at hand?

Since there is no way to selectively remove network settings in iOS, we turned to the Mac for further answers. Our Mac, which is connected to the same iCloud account, and which also utilizes iCloud Keychain, told an interesting tale: Even though we had never connected to the suspicious network using our Mac, the WiFi name was still stored in the Mac’s remembered networks. As such, our theory switched tracks: Since both devices sync their keychain through iCloud, we theorized that removing the wireless network from our Mac’s remembered networks -might- stand a chance of fixing the issue in iOS as well.

However, after attempting, we were left befuddled – it didn’t appear to make an impact at all! So, in a final effort in our 10-hour due diligence, we backed that with one more device reset and iCloud restore – and therein we found the answer. The only fix we could find to repair iOS 15 backups that had become corrupted by the networking bug was to work through MacOS network settings, and rely on iCloud to finish the job.

So, in short, what we found was this:

• The malicious network can brick WiFi on iOS 14 and iOS 15 devices, and can permanently brick iOS 15 devices unless you reset your iCloud Keychain or work through your Mac to remove the network from your list of favorites.
• Favorited networks on Mac apparently also sync to iCloud (not just stored network passwords, but the remembered networks as well).

Fortunately, we were able to find a workaround for all known devices that this can affect – but it’s going to be up to Apple to come up with something more permanent to patch this.