A security researcher has disclosed a bug in iOS, which leverages HomeKit as an attacking vector to make the device useless ultimately.
Named as “doorLock”, the researcher said renaming any HomeKit device to a long (string) can trigger an unwanted reboot, making it useless. This was notified to Apple, to which the company is delaying a fix, prompting the researcher to disclose it eventually.
Bug in Apple’s HomeKit
To connect and control the smart home appliances, Apple’s way is through HomeKit – a dedicated platform to manage all the connected devices. This used the Home app support in iOS and iPad OS and does its operations.
Yesterday, a security researcher named Trevor Spiniolas has shared details on a bug that can make an iPhone or an iPad utterly useless! As per him, the Home app bug using the HomeKit in iOS 14.7 and later can trigger system reboots, when exploited by a hacker.
Four months ago I discovered and reported a serious denial of service bug in iOS that still remains in the latest release. It persists through reboots and can trigger after restores under certain conditions. https://t.co/SAFbqyZdxY
— Trevor Spiniolas (@TrevorSpiniolas) January 1, 2022
This can make the device useless, as it reboots frequently when they tried accessing the HomeKit app. And this happens by renaming the HomeKit devices to a very long string (a set of 500,000 characters in testing), thus triggering the device reboot.
The researcher named this bug “doorLock“, and said to have informed Apple in August last year! Responding to his findings, Apple said it would come up with a fix by the end of 2021, but changed the patch status to rollout in Early 2022, on December 8th.
Since delaying unreasonably, Trevor Spiniolas has finally shared the Big details as he wrote “The public should be aware of this vulnerability and how to prevent it from being exploited, rather than being kept in the dark.”
Also, he said a temporary fix for this is to remove the concerned iCloud account from the device, to avoid triggering the bug. As HomeKit saves the fed details in the cloud, and iCloud sync can make all connected devices useless too.
So, removing the account, and also removing the Home app access to HomeKit should help you avoid this bug. To do so, go to Settings > Control Center and toggle the Show Home Controls off.
