Apple releases iPhone and iPad updates to patch HomeKit DoS vulnerability

Vulnerabilidad DoS de HomeKit News

Apple released software updates for iOS, iPadOS on Wednesday to fix a persistent DoS issue that affected the HomeKit smarthome framework. This could potentially be exploited by ransomware to launch attacks against the devices.

The iPhone maker, in its release notes for iOS and iPadOS 15.2. 1, termed it as a “resource exhaustion issue” that could be triggered when processing a maliciously crafted HomeKit accessory name, adding it addressed the bug with improved validation.

The so-called “doorLock” vulnerability, tracked as CVE-2022-22588, affects HomeKit, the software API for connecting smart home devices to iOS applications.

Should it be successfully exploited, iPhones and iPads can be sent into a crash spiral simply by changing the name of a HomeKit device to a string larger than 500,000 characters and tricking the target into accepting a malicious Home invitation.

Even worse, because HomeKit devices are backed up in iCloud and HomeKit names can be linked back to iCloud accounts, this can trigger the DoS condition again and cause HomeKit devices to crash and restart. This can only end by restoring their factory settings.

Although the company tried to address the issue by setting a maximum length for the app and user names, the limit did not stop an attacker running an older version which allows too long device names. The attacker then used that to get the victim to open a phishing invitation.

The fix comes weeks after security researcher Trevor Spiniolas, who discovered the vulnerability, called out the company for failing to “take the matter seriously” despite having reported it in August 2021 and leaving its customers exposed to a pretty serious issue.

“Apple’s lack of transparency is not only frustrating to security researchers who often work for free, it poses a risk to the millions of people who use Apple products in their day-to-day lives by reducing Apple’s accountability on security matters,” Spiniolas said.

Rate author