Security researchers Trevor Spiniolas discovered a new persistent DoS vulnerability, dubbed ‘doorLock,’ affecting the Apple HomeKit in iOS 14.7 through 15.2.
HomeKit is a software framework by Apple, made available in iOS/iPadOS that lets users configure, communicate with, and control smart-home appliances using Apple devices. It provides users with a way to automatically discover such devices and configure them.
Spiniolas speculates that Apple is aware of the flaw since August 10, 2021, but the IT giant has yet to address it.
“I believe this bug is being handled inappropriately as it poses a serious risk to users and many months have passed without a comprehensive fix,” writes the researcher. “The public should be aware of this vulnerability and how to prevent it from being exploited, rather than being kept in the dark.” said Spiniolas.
An attacker could trigger the vulnerability by changing the name of a HomeKit device to a string larger than 500,000 characters. Upon loading the string, iOS and iPadOS devices will reboot and will be unusable. The vulnerability can only be exploited by attackers with access to the victim’s ‘Home’ or via manually accepting an invitation to one.
Spinolas released an iOS app that has access to Home data and changes HomeKit device names.
In order to solve the issue, it is necessary to force a reset of the device that will cause all stored data to be removed. The only way to recover the removed data will be to restore a working backup.
“When the name of a HomeKit device is changed to a large string (500,000 characters in testing), any device with an affected iOS version installed that loads the string will be disrupted, even after rebooting. Restoring a device and signing back into the iCloud account linked to the HomeKit device will again trigger the bug. There are two main scenarios that may occur afterwards, as outlined in the “Effects” section of this document.” wrote the expert.
The expert explained that once the device reboots and the user signs into the same iCloud account linked to the HomeKit device, the doorLock bug will be triggered again.
“If the bug is triggered on a version of iOS without the limit and the device shares HomeKit data with a device on an iOS version with the limit, both will be still be affected. If a user does not have any Home devices added, the bug can still be triggered by accepting an invitation to a Home that contains a HomeKit device with a large string as its name, even on iOS 15.2.” continues the expert. “The bug can also be triggered on versions without the length limit by simply copying a large string of text and pasting it when manually renaming a Home device, although the Home app may crash when doing so.”
The expert pointed out that that the issue could be exploited by ransomware operators to make devices unusable.
“Applications with access to the Home data of HomeKit device owners may lock them out of their local data and prevent them from logging back into their iCloud on iOS, depending on the iOS version.” states the expert.
Spiniolas explained that it is possible to avoid the exploitation of this issue by disabling Home devices in Control Center. Users are also recommended to be vigilant to invitations to join Home networks of other users.
In order to regain normal access to the iCloud account linked to the data, it is possible to perform the following steps (Tested on iOS 15.2).
If you are not able to install the testing application (most people):
If you are able to install the testing application with Xcode and wish to regain access to Home Data:
(SecurityAffairs – hacking, IKEA)