Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Apple Patches iOS HomeKit Flaw After Researcher Warning

Apple has released an iOS security update with a fix for a persistent denial-of-service flaw in the HomeKit software framework but only after an independent researcher publicly criticized the company for ignoring his discovery.

Apple has released an iOS security update with a fix for a persistent denial-of-service flaw in the HomeKit software framework but only after an independent researcher publicly criticized the company for ignoring his discovery.

The iOS 15.2.1 patch, available for all supported iPhones and iPads, is described simply as a “resource exhaustion issue” that causes the device to hang when processing maliciously crafted HomeKit accessory names.

The sudden appearance of the patch comes almost two weeks after researcher Trevor Spiniolas publicly documented the HomeKit bug and warned that it could be exploited to launch ransomware-type attacks on iPhones.

Spinolas found that when the name of an Apple HomeKit device is changed to an unusually large string, any iOS device that loads the string will face a persistent disruption.  Even worse, restoring a device and signing back into the iCloud account linked to the HomeKit device will again trigger the bug, Spinolas explained. 

[ READ: Apple Adds ‘BlastDoor’ to Thwart iOS Zero-Click Attacks ]

In his public disclosure, Spinolas suggested this could be a viable opening for data extortion attacks on iOS devices.  

“Applications with access to the Home data of HomeKit device owners may lock them out of their local data and prevent them from logging back into their iCloud on iOS, depending on the iOS version. An attacker could also send invitations to a Home containing the malicious data to users on any of the described iOS versions, even if they don’t have a HomeKit device,” he added.

In another scenario, Spinolas suggested an attacker could use email addresses resembling Apple services or HomeKit products to trick less tech savvy users into accepting the invitation and then demand payment via email in return for fixing the issue.

Advertisement. Scroll to continue reading.

Spinolas said he first reported the security issue to Apple in early August last year and gently nudged the company for a few months before deciding to issue a public warning to iPhone users.

[ READ: Apple Patches ‘Actively Exploited’ Mac, iOS Security Flaw ]

The researcher, who has previously worked with Apple on security reports, accused Apple of leaving its customers exposed to a pretty serious issue.  

“I believe this bug is being handled inappropriately as it poses a serious risk to users and many months have passed without a comprehensive fix. The public should be aware of this vulnerability and how to prevent it from being exploited, rather than being kept in the dark,” Spinolas said.

“I found their response to be insufficient. Despite them confirming the security issue and me urging them many times over the past four months to take the matter seriously, little was done,” he added, noting that status updates from Cupertino were rare and lacked transparency.

Related: Apple Adds ‘BlastDoor’ to Secure iPhones From Zero-Click Attacks

Related: Apple Patches ‘Actively Exploited’ Mac, iOS Security Flaw

Related: Apple Ships Emergency Fixes for Under-Attack iOS Zero-Day

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.