Unpatched iPhone Bug Allows Remote Device Takeover
Amazing. It sounds like an old-fashioned sprintf() style bug with unchecked parameters, if that's not too dated a reference these days.
Summary: A Wifi router with the SSID "%p%s%s%s%s%n" can take over your phone if you connect to it (automatically or otherwise)
A format-string bug believed to be a low-risk denial-of-service issue turns out to be much nastier than expected.
A vulnerability in Apple iOS opens the door to remote code execution (RCE), researchers found. The assessment is a revision from a previous understanding of the flaw that viewed it as a low-risk (and somewhat wacky) denial-of-service (DoS) problem affecting iPhones Wi-Fi feature.
The original DoS issue is a string-format bug discovered by researcher Carl Schou, who found that connecting to an access point with the SSID %p%s%s%s%s%n would disable a devices Wi-Fi.
https://threatpost.com/unpatched-iphone-bug-remote-takeover/167922/