A persistent denial-of-service (DoS) vulnerability has been discovered in Apple's iOS mobile operating system that's capable of sending affected devices into a crash or reboot loop upon connecting to an Apple Home-compatible appliance.
The behavior, dubbed "doorLock," is trivial in that it can be triggered by simply changing the name of a HomeKit device to a string larger than 500,000 characters.
This causes an iPhone or iPad that attempts to connect to the device to become unresponsive and enter an indefinite cycle of system failure and restart that can only be mitigated by restoring the affected device from Recovery or DFU (Device Firmware Update) Mode.
HomeKit is Apple's software framework that allows iOS and iPadOS users to configure, communicate with, and control connected accessories and smart-home appliances using Apple devices.
"Any device with an affected iOS version installed that loads the string will be disrupted, even after rebooting," security researcher Trevor Spiniolas said. "Restoring a device and signing back into the iCloud account linked to the HomeKit device will again trigger the bug."
The flaw impacts the latest version of iOS, 15.2, and goes back at least as far as version 14.7, with the weakness likely present on all versions of iOS 14 from 14.0. Apple, for its part, was made aware of the bug on August 10, 2021, with the company aiming to resolve the flaw in early 2022.
While iPhone maker has attempted to mitigate the issue by introducing a local size limit on the renaming of HomeKit devices, Spiniolas noted that the core issue of how iOS handles HomeKit device names remains unresolved.
In a real-world attack scenario, doorLock could be exploited by an attacker by sending a malicious invite to connect to a HomeKit device with an abnormally large string as its name, effectively locking users out of their local data and preventing them from logging back into iCloud on iOS.
Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.RESERVE YOUR SEAT
To make matters worse, since HomeKit device names are also stored on iCloud, signing in to the same iCloud account with a restored device will set off the crash once again, unless the device owner opts to switch off the option to sync HomeKit data.
"This bug poses a significant risk to the data of iOS users, but the public can protect themselves from the worst of its effects by disabling Home devices in [the] control center in order to protect local data," Spiniolas said. "I believe this issue makes ransomware viable for iOS, which is incredibly significant."