Apple accused of recklessness over iOS security vulnerability

Smart Home per App steuern
(Image credit: stock.adobe.com @ Gorodenkoff)

Some devices powered by Apple’s iOS software are vulnerable to a newly-discovered denial of service vulnerability named “doorLock”, but Apple doesn’t seem to be all that interested in fixing it, reports have claimed.

The vulnerability, first discovered by security researcher Trevor Spiniolas, affects Apple HomeKit, in iOS versions 14.7 through 15.2. HomeKit is a software platform for the creation of smart home apps. 

Spiniolas demonstrated the flaw in a video posted on YouTube, in which he shows that to trigger the flaw, all an attacker needs to do is change the name of a HomeKit device to something that has more than 500,000 characters. 

Prevention versus mitigation

By creating an iOS app that has access to Home data, it can change HomeKit device names, even if the target device has no Home devices added on HomeKit. How long it would take for an app like this to be flagged by an antivirus program is anyone's guess.

When the device tries to load the long string, it will just freeze out. To snap it out of the trance, the user will have no other way but to hard reset it. The reset, however, will cause all stored data to be deleted. Furthermore, signing back into the iCloud account linked to the HomeKit device only brings the victim back to square one, resulting in an endless loop of freezes and resets. 

"The introduction of a local size limit on the renaming of HomeKit devices was a minor mitigation that ultimately fails to solve the core issue, which is the way that iOS handles the names of HomeKit devices," the researcher explained in his blog post.

"If an attacker were to exploit this vulnerability, they would be much more likely to use Home invitations rather than an application anyways, since invitations would not require the user to actually own a HomeKit device."

Spiniolas said he told Apple about the flaw in August last year, but the issue is still unresolved, even though Apple promised to fix it. He said that it could be used as a ransomware vector, demanding payment in exchange for restoring a HomeKit device back to a safe string length.

So, what can people do, in the meantime? According to BleepingComputer, the focus needs to be on prevention, at this point, because if someone gains access to a victim’s “Home”, it’s going to be a tough fight.

That being said, suspicious invitation emails from email addresses that seem to be coming from Apple services or HomeKit products should be scrutinized in the same way as emails that could potentially be carrying malware.

For those who have already given access to someone, here’s what they can do:

  • Restore the affected device from Recovery or DFU Mode
  • Set up the device as usual, but do NOT sign back into the iCloud account
  • After setup is finished, sign in to iCloud from settings. Immediately after doing so, disable the switch labeled “Home.” The device and iCloud should now function again without access to Home data.

Via: BleepingComputer 

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.