Unpatched HomeKit Vulnerability Exposes iPhones, iPads to DoS Attacks

A researcher claims Apple has failed to patch a potentially serious vulnerability that can be exploited to launch denial-of-service (DoS) attacks against iPhones and iPads.

The flaw, dubbed doorLock, was reported to Apple on August 10 by Trevor Spiniolas, who decided to disclose his findings on January 1. The researcher said the tech giant had initially planned on rolling out a fix by the end of the year, but in December that deadline changed to “early 2022.”

The vulnerability is related to HomeKit, the software framework provided by Apple for configuring and controlling smart home appliances from iPhones and iPads.

The security bug is related to the name assigned to a HomeKit device. If the name is a large string — 500,000 characters were used in the tests conducted by Spiniolas — the device that loads the string significantly slows down or becomes unresponsive. The victim will not be able to access data stored on the phone or tablet and the problem persists across a device reboot or update.

The vulnerability can be triggered by a malicious application, by manually renaming a device, or by sending out an invitation with a specially crafted device name to the targeted user.

While Apple has introduced a limit on the name length in iOS 15, devices running this version of the operating system can still be attacked by sending them an invitation containing the specially crafted device name.

“When the name of a HomeKit device is altered, the new name is stored in iCloud and is updated across all other iOS devices signed into the same account if Home Data is enabled. iOS frequently updates this data without any user interaction,” the researcher explained.

Spiniolas said he successfully reproduced the flaw on various iPhone and iPad devices running iOS and iPadOS versions between 14.7 and the latest 15.2, but he believes older versions could be affected as well.

“I believe this issue makes ransomware viable for iOS, which is incredibly significant,” Spiniolas warned. “Applications with access to the Home data of HomeKit device owners may lock them out of their local data and prevent them from logging back into their iCloud on iOS, depending on the iOS version. An attacker could also send invitations to a Home containing the malicious data to users on any of the described iOS versions, even if they don’t have a HomeKit device.”

He added, “An attacker could use email addresses resembling Apple services or HomeKit products to trick less tech savvy users (or even those who are curious) into accepting the invitation and then demand payment via email in return for fixing the issue.”

The researcher has shared some recommendations on how an attacked device can be restored. He has also made available a couple of videos showing the exploit in action.

SecurityWeek has reached out to Apple for comment and will update this article if the company responds.

Related: Apple Patches 42 Security Flaws in Latest iOS Refresh

Related: Apple Confirms iOS 15 Zero-Day Exploitation