Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Unpatched HomeKit Vulnerability Exposes iPhones, iPads to DoS Attacks

A researcher claims Apple has failed to patch a potentially serious vulnerability that can be exploited to launch denial-of-service (DoS) attacks against iPhones and iPads.

A researcher claims Apple has failed to patch a potentially serious vulnerability that can be exploited to launch denial-of-service (DoS) attacks against iPhones and iPads.

The flaw, dubbed doorLock, was reported to Apple on August 10 by Trevor Spiniolas, who decided to disclose his findings on January 1. The researcher said the tech giant had initially planned on rolling out a fix by the end of the year, but in December that deadline changed to “early 2022.”

The vulnerability is related to HomeKit, the software framework provided by Apple for configuring and controlling smart home appliances from iPhones and iPads.

The security bug is related to the name assigned to a HomeKit device. If the name is a large string — 500,000 characters were used in the tests conducted by Spiniolas — the device that loads the string significantly slows down or becomes unresponsive. The victim will not be able to access data stored on the phone or tablet and the problem persists across a device reboot or update.

The vulnerability can be triggered by a malicious application, by manually renaming a device, or by sending out an invitation with a specially crafted device name to the targeted user.

While Apple has introduced a limit on the name length in iOS 15, devices running this version of the operating system can still be attacked by sending them an invitation containing the specially crafted device name.

“When the name of a HomeKit device is altered, the new name is stored in iCloud and is updated across all other iOS devices signed into the same account if Home Data is enabled. iOS frequently updates this data without any user interaction,” the researcher explained.

Spiniolas said he successfully reproduced the flaw on various iPhone and iPad devices running iOS and iPadOS versions between 14.7 and the latest 15.2, but he believes older versions could be affected as well.

“I believe this issue makes ransomware viable for iOS, which is incredibly significant,” Spiniolas warned. “Applications with access to the Home data of HomeKit device owners may lock them out of their local data and prevent them from logging back into their iCloud on iOS, depending on the iOS version. An attacker could also send invitations to a Home containing the malicious data to users on any of the described iOS versions, even if they don’t have a HomeKit device.”

He added, “An attacker could use email addresses resembling Apple services or HomeKit products to trick less tech savvy users (or even those who are curious) into accepting the invitation and then demand payment via email in return for fixing the issue.”

The researcher has shared some recommendations on how an attacked device can be restored. He has also made available a couple of videos showing the exploit in action.

SecurityWeek has reached out to Apple for comment and will update this article if the company responds.

Related: Apple Patches 42 Security Flaws in Latest iOS Refresh

Related: Apple Confirms iOS 15 Zero-Day Exploitation

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.