DoS Attack Vectors Found via Unpatched HomeKit Vulnerability which Exposes iPhones and iPads

3 years ago   •   2 min read

Researchers claim Apple has failed to patch a serious vulnerability that can be exploited to launch denial-of-service (DoS) attacks against iPhones and iPads.
The flaw, dubbed doorLock, was reported to Apple on August 10 by Trevor Spiniolas, who decided to disclose his findings on January 1. The researcher said the tech giant had initially planned on rolling out a fix by the end of the year, but in December that deadline changed to “early 2022.”

A persistent denial-of-service (DoS) vulnerability has been discovered in Apple’s iOS mobile operating system that’s capable of sending affected devices into a crash or reboot loop upon connecting to an Apple Home-compatible appliance.

The behavior, dubbed “doorLock,” is trivial in that it can be triggered by simply changing the name of a HomeKit device to a string larger than 500,000 characters.

This causes an iPhone or iPad that attempts to connect to the device to become unresponsive and enter an indefinite cycle of system failure and restart that can only be mitigated by restoring the affected device from Recovery or DFU (Device Firmware Update) Mode.

HomeKit is Apple’s software framework that allows iOS and iPadOS users to configure, communicate with, and control connected accessories and smart-home appliances using Apple devices.

“Any device with an affected iOS version installed that loads the string will be disrupted, even after rebooting,” security researcher Trevor Spiniolas said. “Restoring a device and signing back into the iCloud account linked to the HomeKit device will again trigger the bug.”

HomeKit Denial of Service Vulnerability (Via Home Invitation)

The flaw impacts the latest version of iOS, 15.2, and goes back at least as far as version 14.7, with the weakness likely present on all versions of iOS 14 from 14.0. Apple, for its part, was made aware of the bug on August 10, 2021, with the company aiming to resolve the flaw in early 2022.

While iPhone maker has attempted to mitigate the issue by introducing a local size limit on the renaming of HomeKit devices, Spiniolas noted that the core issue of how iOS handles HomeKit device names remains unresolved.

HomeKit Denial of Service Vulnerability (Setup after Restore)

In a real-world attack scenario, doorLock could be exploited by an attacker by sending a malicious invite to connect to a HomeKit device with an abnormally large string as its name, effectively locking users out of their local data and preventing them from logging back into iCloud on iOS.

To make matters worse, since HomeKit device names are also stored on iCloud, signing in to the same iCloud account with a restored device will set off the crash once again, unless the device owner opts to switch off the option to sync HomeKit data.

“This bug poses a significant risk to the data of iOS users, but the public can protect themselves from the worst of its effects by disabling Home devices in [the] control center in order to protect local data,” Spiniolas said. “I believe this issue makes ransomware viable for iOS, which is incredibly significant.”

Cloudnerve has reached out to Apple for comment and will update this article if the company responds.

Spread the word

Keep reading