Your Yello Ring Road To Success
GOOGLE LOGIN MY ADS MY SHOP

Apple Releases iPhone and iPad Updates to Patch HomeKit DoS Vulnerability

HomeKit DoS Vulnerability

Apple on Wednesday rolled out software updates for iOS and
iPadOS to remediate a persistent denial-of-service (DoS) issue[1] affecting the HomeKit
smart home framework that could be potentially exploited to launch
ransomware-like attacks targeting the devices.

The iPhone maker, in its release
notes[2] for iOS and iPadOS
15.2.1, termed it as a “resource exhaustion issue” that could be
triggered when processing a maliciously crafted HomeKit accessory
name, adding it addressed the bug with improved validation.

Automatic GitHub Backups

The so-called “doorLock” vulnerability, tracked as
CVE-2022-22588, affects HomeKit, the software API for connecting
smart home devices to iOS applications.

Should it be successfully exploited, iPhones and iPads can be
sent into a crash spiral simply by changing the name of a HomeKit
device to a string larger than 500,000 characters and tricking the
target into accepting a malicious Home invitation.

Even worse, since HomeKit device names are backed up to iCloud,
signing back into the affected iCloud account linked to the
‌HomeKit‌ device can re-trigger the DoS condition and cause the
devices to enter an endless cycle of crash and reboot that can only
be ended by restoring them to their factory settings.

Although the company attempted to mitigate the problem by
introducing a limit on the length of the name an app or the user
can set, it was found that it did nothing to prevent an attacker
from running an earlier version that allows excessively long device
names and then getting the victim to accept a rogue invitation via
a phishing email.

Prevent Data Breaches

The fix comes weeks after security researcher Trevor Spiniolas,
who discovered the vulnerability, called out the company for
failing to “take the matter seriously” despite having reported it
in August 2021 and leaving its customers exposed to a pretty
serious issue.

“Apple’s lack of transparency is not only frustrating to
security researchers who often work for free, it poses a risk to
the millions of people who use Apple products in their day-to-day
lives by reducing Apple’s accountability on security matters,”
Spiniolas said.

References

  1. ^
    denial-of-service (DoS) issue
    (thehackernews.com)
  2. ^
    release
    notes     (support.apple.com)

Read more