Apple HomeKit has a new persistent denial of service vulnerability called ‘doorLock,’ which affects iOS 14.7 through 15.2. Apple HomeKit, a software framework, lets iPhone and iPad users operate smart home appliances from their phones and tablets.
Apple has known about the problem since August 10, 2021, according to Trevor Spiniolas, the security researcher who made the information public. Despite Apple’s repeated pledges to address it, the researcher claims that the security update has been delayed farther and further, and the issue remains unsolved.
An attacker would use a string longer than 500,000 characters in the name of a HomeKit device to trigger ‘doorLock.’ Spiniolas provided a proof-of-concept hack as an iOS app having access to Home data and can modify HomeKit device names to show the doorLock flaw.
Even if the target user hasn’t connected any Home devices to HomeKit, forging and accepting an invitation provides an attack pathway. A device running a vulnerable iOS version will be placed into a denial of service (DoS) condition while trying to load the large string, with a hard reset being the only way out.
On the other hand, resetting the device will erase all saved data, which will only be recoverable if you have a backup. To make matters worse, the problem will be re-triggered after the device reboots, and the user registers back into the iCloud account associated with the HomeKit device.
“In iOS 15.1 (or possibly 15.0), a limit on the length of the name an app or the user can set was introduced,” clarifies Spiniolas in his blog post. “The introduction of a local size limit on the renaming of HomeKit devices was a minor mitigation that ultimately fails to solve the core issue, which is the way that iOS handles the names of HomeKit devices.”
If attackers wanted to take advantage of this flaw, they’d be far more likely to use Home invites than an app because invitations don’t need users to own a HomeKit device.
The consequences of this attack vary from an inoperable device that reboots forever to the inability to take an iCloud backup since logging back into the online backup services re-triggers the vulnerability. According to the researcher, this attack might be exploited as a ransomware vector, locking iOS devices and demanding a ransom payment for restoring the HomeKit device to a safe string length.
