Last Updated on 04/01/2022 by Nidhi Khandelwal
When connected to an Apple Home-compatible appliance, a persistent denial-of-service (DoS) vulnerability has been discovered in Apple’s iOS mobile operating system, which can cause vulnerable devices to crash or reboot.
The “doorLock” functionality is simple to activate, since it requires only updating the name of a HomeKit device to a string longer than 500,000 characters.
Apple’s HomeKit software architecture enables iOS and iPadOS users to configure, communicate with, and control connected accessories and smart-home appliances from their Apple devices.
“Any device that loads the string on a compromised iOS version will be interrupted, even after resetting,” stated security researcher Trevor Spiniolas. “Restoring a device and re-enrolling in the iCloud account associated with the HomeKit device will re-trigger the problem.”
An iPhone or iPad that tries to connect to the device will become unresponsive, and the device will enter an unending cycle of system failure and restart that can only be stopped by restoring the device from Recovery or DFU (Device Firmware Update) Mode.
The vulnerability affects the most recent version of iOS, 15.2, and dates back at least to version 14.7, with the bug presumably present in all versions of iOS 14 starting with 14.0. Apple, for its part, was notified of the flaw on August 10, 2021, with the corporation aiming to fix it in early 2022.
While Apple has attempted to ameliorate the problem by imposing a local capacity limit on HomeKit device renaming, Spiniolas pointed out that the basic issue of how iOS handles HomeKit device names has yet to be rectified.
In a real-world attack scenario, an attacker might use doorLock to lock users out of their local data and prevent them from logging back into iCloud on iOS by issuing a fraudulent invite to connect to a HomeKit device with an excessively long string like its name.
To make matters worse, because HomeKit device names are also maintained on iCloud, checking in to the same iCloud account with a repaired device will cause the crash to occur again, unless the device owner disables the HomeKit data sync option.
