A security expert has published a denial-of-service vulnerability with which current iPhones and iPads can be completely paralyzed at least from iOS 14. The IT security researcher Trevor Spiniolas published the zero-day problem after Apple had taken time to fix it since August and last told him in December that the bug would be fixed “early 2022”. In the current beta of iOS 15.2 or iPadOS 15.2 it should still be available.
Names with long strings
Spiniolas had discovered that the names of HomeKit devices can be filled with extremely long strings. He calls the bug “Doorlock”. The HomeKit names are then transferred to all systems with their own Apple ID via iCloud as standard in the background. The problem: when an iPhone or iPad reads this name in the control center, it hangs completely. Just a complete reset without reading the iCloud account will put it back into operation, otherwise the name would be transferred again.
The string used by Spiniolas is extremely long – half a million characters. Apple’s secret remains as to why it was even possible to enter it in the past and why no check was carried out. The string can be set via the HomeKit API and can be done using any iOS or iPadOS app with access to Apple’s home data – it is sufficient if the device does not yet have iOS 15.1 (or possibly iOS 15.0 – Spiniolas knows that not), since Apple only sets a limit here. If the problem is triggered on any device that belongs to the respective iCloud account, iPhones and iPads with iOS 15 or higher are also “killed”. Instead of using an app, according to the security researcher, it should also be possible to insert the long string manually via copy & paste in the home app, but it may crash during this. It is somewhat easier to invite inexperienced users to a home network that already contains the manipulated names.
Permanent crash or broken home app
If the problematic name has been set, two scenarios arise: If home devices are active in the control center, the operating system slows down until it is unusable – even via USB, contact is hardly possible. The cycle repeats itself until a reboot. Even after that, the problem starts all over again until the system is restored using recovery or DFU mode. If home devices are not active in the control center, the home app becomes unusable and it crashes when it starts.
Apple seems to regard the door lock bug as less dangerous than Spiniolas. In fact, an attacker would first have to succeed in accommodating the exploit in a home-enabled app, which the user would then have to give appropriate rights to their own home network. However, the security researcher can imagine ransomware attacks; alternatively, as mentioned, it would also be possible for an attacker to invite a user to a home network that contains names that make the system unusable. HomeKit invitations are not controlled by Apple – the company could, however, filter them. When the bug will be fixed by Apple remains unclear.
(bsc)