Some devices running Apple's iOS software are vulnerable to a recently discovered denial-of-service vulnerability called "doorLock," but Apple doesn't seem really interested in fixing it, according to reports.
The vulnerability, first discovered by security scholar Trevor Spiniolas, affects Apple HomeKit, in iOS versions one hundred and forty-seven to one hundred and fifty-two. HomeKit is a software platform for creating smart family applications.
Spiniolas tested the flaw in a video posted on YouTube, showing that to trigger the flaw, all an attacker must do is change the name of a HomeKit device to something that is over five hundred with zero characters.
Prevention versus mitigation
When creating an iOS app that has access to Home data, you can change the names of HomeKit devices, even if the target device does not have Home devices added to HomeKit. Anyone can guess how long it would take for an application like this to be flagged by an antivirus program.
When the device attempts to load the long chain, it hangs. To get it out of the trance, the user will have no other means than to restart it. However, restarting will delete each and every saved data. In addition to this, reconnecting to the iCloud account linked to the HomeKit device only gets the victim back to square one, resulting in an endless cycle of crashes and resets.
"Introducing a local size limit for renaming HomeKit devices was a small mitigation that ultimately doesn't address the core issue, which is how iOS handles the names of HomeKit devices," explained the studious in his report.
"If an attacker were to exploit this vulnerability, they would be significantly more likely to use Home invites than an app anyway, as the invites would not require the user to actually have a HomeKit device."
Spiniolas said he spoke with Apple about the failure in August of last year, but the problem has not yet been resolved, despite the fact that Apple has promised to fix it. He claimed that it could be used as a ransomware vector, demanding payment in exchange for restoring a HomeKit device to a secure chain length.
So what can people do while they wait? According to BleepingComputer, the focus should be on prevention at this point, because if someone has access to a victim's "Home", it's going to be an uphill battle.
That said, suspicious treat emails from email addresses that appear to be from Apple services or HomeKit products should be scrutinized in the same way as emails that may contain malware.
For those who have given someone access, here is what they can do:
- Restore damaged device from Perfect Restore Mode or DFU
- Set up the device as usual, but DO NOT log into the iCloud account again
- Once setup is complete, sign in to iCloud from Settings. Right after that, turn off the switch labeled "Start". The device and iCloud should now work again without access to family data.
Via: BleepingComputer