A security researcher has found a vulnerability in HomeKit that allows a denial of service attack on some of Apple’s devices.
He publicly exposed the vulnerability after the Apple brand decided to push back its fix.
A vulnerability that freezes Apple devices
Security researcher Trevor Spiniolas recently exposed a vulnerability that could allow denial of service attacks on Apple devices running iOS 14.7 through iOS 15.2. Nicknamed ” doorLock ”, It touches Apple HomeKit, an interface that allows users to control their connected devices from their iPhone and iPad. If one of them connects to a HomeKit device that has been given a very long name, 500,000 characters according to the researcher, it causes the phone or tablet to freeze and restart. The only way to get your device back to work is to reset it to the factory state, and therefore delete its data.
But, even after restoring their phone, the user may continue to fall victim to the bug. The names of HomeKit devices are saved in iCloud, and if the user reconnects to the service to recover their data after reset, his device is again susceptible to the bug and becomes unusable again.
According to the researcher, an attacker who seeks to exploit this bug would have two ways of doing so. The first would be using a malicious application he created. As explained by Spiniolas, thanks to Apple’s HomeKit API, all applications that have access to the data of the Home application can modify the name of the HomeKit devices connected to it, and therefore give them a name that would trigger the bug. The second way, and the simplest since it does not require the victim to have connected devices, would be through an invitation. If an attacker invites victims to connect to their Home on which a HomeKit device with a very long name is present, once this invitation is accepted, the bug arrives on the victim’s device.
Apple’s response insufficient for the researcher
For Trevor Spiniolas, “ this problem makes them ransomware
viable for iOS “. He explains that an attacker could, for example, impersonate Apple or a service related to HomeKit products to trick users into clicking on a link or accepting an invitation sent by email. He could demand a ransom from them in return, offering to change the name of his HomeKit device to unlock the phones in exchange for payment.
Spiniolas said he warned Apple of the bug on August 10, 2021. In iOS versions 15.1, a partial fix was introduced that limits the size of names that can be given to HomeKit devices. But this fix is insufficient for the researcher, since it does not fix the main problem, which is how iOS takes into account the name of HomeKit devices. Most importantly, it does not correct the exploitation of the bug using invitations, devices running iOS 15.2 can still be trapped. As Apple did not fix the bug until 2022 as originally promised and pushed the fix back to ” early 2022 ”, The researcher therefore decided to make it public so that users can protect themselves.
The easiest way to avoid the bug is to not accept invitations to a House from unknown people. If you are still the victim of the bug, it is possible to regain access to your iCloud account as follows:
- Restore the phone from recovery or DFU mode;
- Perform the normal configuration of the device without reconnecting to your iCloud account;
- Once the basic setup is complete, sign in to iCloud from Settings, then immediately uncheck the “Home Controls” box.
On the same subject :
Apple crosses $ 3 trillion in market capitalization, a world first
Sources: The verge
, Trevor Spiniolas blog
3