Apple has announced security upgrades to solve the doorLock persistent denial of service (DoS) attack, which would use HomeKit to completely disable iPhones and iPads running iOS 14.7 and later. HomeKit is an iOS and iPadOS protocol and framework that allows users to discover and operate smart home devices on their network.
According to a security warning released today by Apple, the doorLock vulnerability, also known as CVE-2022-22588, causes specific iOS and iPadOS devices to fail when they execute maliciously written HomeKit accessory names. In iOS 15.2.1 and iPadOS 15.2.1, Apple resolved the severe resource depletion problem by improving input validation, making it impossible for attackers to stop susceptible devices. iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) all got security upgrades.
“Four months ago, I discovered and reported a serious denial of service bug in iOS that still remains in the latest release. It persists through reboots and can trigger after restores under certain conditions,” said Trevor Spiniolas, a programmer and “beginning security researcher” who discovered the flaw and reported it.
“All the requirements are default settings. When someone sets up their iOS device, everything is already in order for the bug to work. If they accept a malicious home invitation from there, their device stops working.”
According to Spiniolas, Apple has been aware of doorLock since August 2021, 2021, but has consistently pushed the security update despite promising to patch it. According to the researcher, attackers would have to modify a HomeKit device’s name to a long string of up to 500,000 characters and deceive the victim into accepting a Home invitation. After joining the attacker’s HomeKit network, the target’s device becomes unusable and finally fails. The only method to recover from such an attack is to factory reset the disabled device, as resuming and signing back into the iCloud account associated with the HomeKit device will cause it to crash again.
After Apple delayed repairing three iOS zero-day flaws and neglected to credit him while patching a fourth in July, software engineer Denis Tokarev posted proof-of-concept exploit code for three of them on GitHub in September. Apple addressed one of the ‘gamed’ zero-day vulnerabilities discovered by Tokarev a month later, with the release of iOS 15.0.2.
On the other hand, Apple refused to acknowledge or credit him for the finding and requested him to remain silent and not tell anybody else that the firm had failed to give him credit for the bug. Other security experts and bug bounty hunters have had similar experiences, claiming that Apple has kept them in the dark for months and has refused to respond to their messages.