A security researcher has released details about an Apple HomeKit bug, which denial of service can cause in connected iOS devices and persists after reboots. The researcher said he reported the bug to Apple in August.
Security researcher Trevor Spiniolas, who discovered the bug, calls the vulnerability Doorlock and publishes a proof-of-concept on GitHub. The bug is in Apple’s HomeKit API for smart home devices. The bug occurs when attackers set up a HomeKit device with a long name, approximately 500,000 characters. iOS devices that then connect to that device stop responding, even after a reboot. When users restore an iOS device to factory settings, but then log in to the iCloud account associated with the HomeKit device, the bug is retriggered.
Spiniolas reports that any iOS app with access to Apple Home data can rename HomeKit devices. Such apps can thus exploit the vulnerability. Apple introduced a limit on the length of HomeKit names in iOS 15.1 and, according to the researcher, may have been as early as 15.0, so this is no longer possible on recently updated iOS devices. However, HomeKit devices that have already been renamed can still “freeze” iOS devices running the most recent iOS versions.
The researcher emphasizes that it is more likely that the vulnerability will be exploited by creating a Home network and inviting people to it via phishing emails. Spiniolas says users can defend themselves against the bug by ignoring invitations to unknown Home networks. iOS users who use HomeKit devices themselves can protect themselves in part by disabling ‘Show Home Controls’ in Control Center.
Spiniolas said it reported the bug to Apple on August 10. According to the researcher, Apple indicated that it would come up with a fix “before 2022”, but last month adjusted this to “early 2022”, after which Spiniolas told Apple that he will make the bug public in early 2022. The bug has not yet been resolved by Apple. The researcher was previously contacted about a bug in macOS, which was patched in 2019.
Spiniolas believes Apple was too slow to respond to its initial report. The researcher shares emails with The Verge, in which an Apple employee acknowledged the bug and asked Spiniolas not to publish details about Doorlock until early 2022. Apple has not yet publicly commented on the release.
Apple has long been criticized for its bug bounty program. Of the major tech companies, Apple’s responsible disclosure policy is the youngest. Although Apple gives out relatively high rewards, ethical hackers have been complaining for years about slow fixes and notifications that seem to disappear into black holes. already wrote an article about those problems last year.