Security News > 2022 > January > Apple iOS vulnerable to HomeKit 'doorLock' denial of service bug

Apple HomeKit is a software framework that lets iPhone and iPad users control smart home appliances from their devices.
To demonstate the doorLock bug, Spinolas has released a proof-of-concept exploit in the form of an iOS app that has access to Home data and can change HomeKit device names.
Upon attempting to load the large string, a device running a vulnerable iOS version will be thrown into a denial of service state, with a forced reset being the only way out of it.
To make matters worse, once the device reboots and the user signs back into the iCloud account linked to the HomeKit device, the bug will be re-triggered.
"The introduction of a local size limit on the renaming of HomeKit devices was a minor mitigation that ultimately fails to solve the core issue, which is the way that iOS handles the names of HomeKit devices."
As the researcher explains, this attack could be used as a ransomware vector, locking iOS devices into an unusable state and demanding a ransom payment to set the HomeKit device back to a safe string length.
News URL
Related news
- Apple Patches Actively Exploited iOS Zero-Day CVE-2025-24200 in Emergency Update (source)
- Global Pressure Mounts for Apple as Brazilian Court Demands iOS Sideloading Within 90 Days (source)
- Apple Backports Critical Fixes for 3 Recent 0-Days Impacting Older iOS and macOS Devices (source)
- Apple Rolls Out iOS 18.4 With New Languages, Emojis & Apple Intelligence in the EU (source)