Security News > 2022 > January > Researchers Detail New HomeKit 'doorLock' Bug Affecting Apple iOS

A persistent denial-of-service vulnerability has been discovered in Apple's iOS mobile operating system that's capable of sending affected devices into a crash or reboot loop upon connecting to an Apple Home-compatible appliance.

HomeKit is Apple's software framework that allows iOS and iPadOS users to configure, communicate with, and control connected accessories and smart-home appliances using Apple devices.

"Restoring a device and signing back into the iCloud account linked to the HomeKit device will again trigger the bug."

While iPhone maker has attempted to mitigate the issue by introducing a local size limit on the renaming of HomeKit devices, Spiniolas noted that the core issue of how iOS handles HomeKit device names remains unresolved.

In a real-world attack scenario, doorLock could be exploited by an attacker by sending a malicious invite to connect to a HomeKit device with an abnormally large string as its name, effectively locking users out of their local data and preventing them from logging back into iCloud on iOS. To make matters worse, since HomeKit device names are also stored on iCloud, signing in to the same iCloud account with a restored device will set off the crash once again, unless the device owner opts to switch off the option to sync HomeKit data.

"This bug poses a significant risk to the data of iOS users, but the public can protect themselves from the worst of its effects by disabling Home devices in [the] control center in order to protect local data," Spiniolas said.

News URL

https://thehackernews.com/2022/01/researchers-detail-new-homekit-doorlock.html