A cybersecurity researcher has uncovered a novel persistent denial of service flaw called 'doorLock' in Apple HomeKit, impacting iOS devices.
The security researcher Trevor Spiniolas publicly disclosed the details and explained in a blog post that Apple has known about the bug since August 10, 2021. As a matter of concern, the company doesn’t seem interested in fixing the bug, despite the repeated promises.
“I believe this bug is being handled inappropriately as it poses a serious risk to users and many months have passed without a comprehensive fix. The public should be aware of this vulnerability and how to prevent it from being exploited, rather than being kept in the dark,” Spinolas stated.
Apple HomeKit is a software platform that allows iPhone and iPad users to control smart home appliances from their devices.
To trigger the flaw, the threat actor requires to alter the name of a HomeKit device to a string larger than 500,000 characters. Subsequently, if an iOS device connects to HomeKit it will become unresponsive once it reads the device name and enters a cycle of freezing and rebooting that can only be ended by wiping and restoring the iOS device.
To make the situation worse, once the device reboots and the user signs back into the iCloud account linked to the HomeKit device, the bug will be triggered again, with the cycle continuing until the device owner switches off the option to sync home devices from iCloud.
Hence, it is possible that a threat actor could exploit a user’s existing HomeKit-enabled device, the most likely way the exploit would be triggered is if the attacker designed a spoof Home network and tricked a user into joining via a phishing email. This attack could be used as a ransomware vector, locking iOS devices into an unusable state and demanding a ransom payment to set the HomeKit device back to a safe string length.
"In iOS 15.1 (or possibly 15.0), a limit on the length of the name an app or the user can set was introduced. The introduction of a local size limit on the renaming of HomeKit devices was minor mitigation that ultimately fails to solve the core issue, which is the way that iOS handles the names of HomeKit devices.
If an attacker were to exploit this vulnerability, they would be much more likely to use Home invitations rather than an application anyways, since invitations would not require the user to actually own a HomeKit device.,” Spiniolas explained in his blog post.
To mitigate the risk, the researcher recommended iOS users is to immediately reject any invitations to join an unknown Home network. Additionally, iOS users who currently use smart home devices can guard themselves by entering the Control Center and disabling the setting “Show Home Controls.”