Security Experts:

Apple Patches iOS HomeKit Flaw After Researcher Warning

Apple has released an iOS security update with a fix for a persistent denial-of-service flaw in the HomeKit software framework but only after an independent researcher publicly criticized the company for ignoring his discovery.

The iOS 15.2.1 patch, available for all supported iPhones and iPads, is described simply as a “resource exhaustion issue” that causes the device to hang when processing maliciously crafted HomeKit accessory names.

The sudden appearance of the patch comes almost two weeks after researcher Trevor Spiniolas publicly documented the HomeKit bug and warned that it could be exploited to launch ransomware-type attacks on iPhones.

Spinolas found that when the name of an Apple HomeKit device is changed to an unusually large string, any iOS device that loads the string will face a persistent disruption.  Even worse, restoring a device and signing back into the iCloud account linked to the HomeKit device will again trigger the bug, Spinolas explained. 

[ READ: Apple Adds 'BlastDoor' to Thwart iOS Zero-Click Attacks ]

In his public disclosure, Spinolas suggested this could be a viable opening for data extortion attacks on iOS devices.  

“Applications with access to the Home data of HomeKit device owners may lock them out of their local data and prevent them from logging back into their iCloud on iOS, depending on the iOS version. An attacker could also send invitations to a Home containing the malicious data to users on any of the described iOS versions, even if they don't have a HomeKit device,” he added.

In another scenario, Spinolas suggested an attacker could use email addresses resembling Apple services or HomeKit products to trick less tech savvy users into accepting the invitation and then demand payment via email in return for fixing the issue.

Spinolas said he first reported the security issue to Apple in early August last year and gently nudged the company for a few months before deciding to issue a public warning to iPhone users.

[ READ: Apple Patches 'Actively Exploited' Mac, iOS Security Flaw ]

The researcher, who has previously worked with Apple on security reports, accused Apple of leaving its customers exposed to a pretty serious issue.  

“I believe this bug is being handled inappropriately as it poses a serious risk to users and many months have passed without a comprehensive fix. The public should be aware of this vulnerability and how to prevent it from being exploited, rather than being kept in the dark,” Spinolas said.

“I found their response to be insufficient. Despite them confirming the security issue and me urging them many times over the past four months to take the matter seriously, little was done,” he added, noting that status updates from Cupertino were rare and lacked transparency.

Related: Apple Adds 'BlastDoor' to Secure iPhones From Zero-Click Attacks

Related: Apple Patches 'Actively Exploited' Mac, iOS Security Flaw

Related: Apple Ships Emergency Fixes for Under-Attack iOS Zero-Day

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a veteran cybersecurity strategist who has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and Kaspersky GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's past career as a security journalist included bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Ryan is a director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world. Follow Ryan on Twitter @ryanaraine.