A persistent denial of service (DoS) vulnerability has been discovered in Apple’s HomeKit API that causes iOS and iPadOS devices to freeze, crash, and reboot upon connecting to an Apple Home device.
For those unaware, HomeKit is a software framework made available in iOS and iPadOS that allows iPhone and iPad users to configure, communicate, and control smart-home appliances using Apple devices.
The security researcher, Trevor Spiniolas, who publicly disclosed the details on January 1st, 2022, said that Apple is aware of the bug since August 10, 2021. The Cupertino giant had apparently promised to resolve the bug in a security update before 2022 but failed to introduce an actual fix. On December 8th, they revised their estimate to “early 2022.”
On December 9th, Spiniolas contacted Apple to inform them that he would disclose the information to the public on January 1st, 2022 if the bug is not resolved. As the bug continues to remain unsolved, the security researcher decided to make his discovery public.
“I believe this bug is being handled inappropriately as it poses a serious risk to users and many months have passed without a comprehensive fix. The public should be aware of this vulnerability and how to prevent it from being exploited, rather than being kept in the dark,” Spiniolas writes.
According to Spiniolas, the vulnerability dubbed “doorLock” can be triggered by just changing the name of a HomeKit device to a string larger than 500,000 characters.
Any device with an affected iOS version stops responding once it reads the device name triggering a cycle of freezing and rebooting, which can only be completed by wiping and restoring the iOS device.
“Any device with an affected iOS version installed that loads the string will be disrupted, even after rebooting. Restoring a device and signing back into the iCloud account linked to the HomeKit device will again trigger the bug,” he added.
The attacker could also trigger the vulnerability by using an app to rename an existing HomeKit device or sending an invite to a new HomeKit device with a large string as its name, which is even true on the latest release iOS 15.2.
The security researcher notes that Apple has introduced a limit on the length of the name an app or the user can set in iOS 15.1 to reduce the impact to some extent.
“The introduction of a local size limit on the renaming of HomeKit devices was a minor mitigation that ultimately fails to solve the core issue, which is the way that iOS handles the names of HomeKit devices,” Spiniolas said.
“If an attacker were to exploit this vulnerability, they would be much more likely to use Home invitations rather than an application anyways, since invitations would not require the user to actually own a HomeKit device.”
The result of this attack ranges from locking iOS devices into an unusable state and preventing users from logging back into iCloud on iOS to take a backup of their data, as signing back to the online backup services re-triggers the flaw.
The vulnerability exists on all versions from iOS 14.7 till the latest version of iOS 15.2 and is also likely present on all versions of iOS 14 from 14.0.
To guard against the triggering of the bug, iOS users are advised to immediately reject any invitation received to join any unknown home network.
Additionally, those using smart home devices can disable the Home Controls option by going to Settings > Control Center > Set the toggle for “Show Home Controls” to off. This option will limit the information that can be accessed through the Control Center.
“Apple’s lack of transparency is not only frustrating to security researchers who often work for free, but it also poses a risk to the millions of people who use Apple products in their day-to-day lives by reducing Apple’s accountability on security matters,” Spiniolas concludes.
Apple is yet to respond on the matter.
