A vulnerability has been found in iOS that uses HomeKit as an attack vector involving very long device games, a vulnerability disclosed by a security researcher due to Apple allegedly being slow to fix it.
As with its other products, Apple is keen on keeping HomeKit as secure as possible for its users. In a disclosure published on January 1, it seems that there is a bug in the smart home platform that could cause problems for its users.
According to security researcher Trevor Spiniolas, if a HomeKit device name is changed to a “very long string,” set at 500,000 characters in testing, iOS and iPadOS devices that loads the string can be rebooted and made unusable. Furthermore, since the name is stored in iCloud and gets updated across all other iOS devices signed into the same account, the bug can reappear repeatedly.
Spiniolas has called the bug “doorLock,” and claims it affects all iOS versions from iOS 14.7 onwards under testing, though it is likely to also exist on all iOS 14 versions too.
Furthermore, while an update in iOS 15.0 or 15.1 imposed a limit on the length of a name that an app or a user could set, the name can still be updated by previous iOS versions. If the bug is triggered on an iOS version without the limit and shares HomeKit data, all devices it shares the data with will be affected as well, regardless of version.
There are two situations that can occur, with devices that don’t have Home devices enabled in Control Center finding the Home app is unusable and crashes. Neither reboots nor updates will fix the problem, and restored devices will again render Home unusable if it is signed into the same iCloud account.
For iPhones and iPads that have Home devices enabled in Control Center, which is the default setting for when users have access to HomeKit devices, iOS itself becomes unresponsive. Inputs become delayed or ignored, with the device unresponsive and going through the occasional reboot.
Rebooting nor updating the device will fix it in this situation, and disrupted USB access basically forces users into restoring their device and losing all local data. However, restoring and signing into the same iCloud account will trigger the bug again with the same effects as before.
Spiniolas believes the issue could be used for malicious purposes, such as via an app with access to Home data introducing the bug by itself. It’s also feasible for an attacker to send invitations to a Home to other users, even if the target doesn’t own a HomeKit device.
How to avoid the issue
According to the researcher, the worse of the two scenarios can be avoided by disabling Home devices in Control Center. To do so, open Settings followed by Control Center, then set the toggle for “Show Home Controls” to off.
Users should also be vigilant to invitations to join Home networks of other users, especially those from unknown contacts.
A slow fix
Spiniolas claims to have initially reported the bug to Apple on August 10th, with Apple said to have planned for a security update fixing the bug to be issued by the end of 2022. However, Apple then allegedly changed its estimate on December 8th to “Early 2022.”
The delayed fix prompted Spiniolas to warn Apple that a public disclosure of the bug would be made on January 1, 2022.
“I believe this bug is being handled inappropriately as it poses a serious risk to users and many months have passed without a comprehensive fix,” writes the researcher. “The public should be aware of this vulnerability and how to prevent it from being exploited, rather than being kept in the dark.”