Apple has fixed the vulnerability in HomeKit by releasing updates for iOS and iPadOS that addresses the Denial of Service (DoS) issue. The bug affects the infrastructure of the HomeKit smart home framework.HomeKit is Apple’s eponymous protocol and platform that allows iOS and iPadOS users to discover and control smart home appliances on their network.
The vulnerability is called doorLock and has the identifier CVE-2022-22588. As Apple explains, the bug is related to a “resource exhaustion problem” that can manifest itself when processing a maliciously crafted device name (a string longer than 500,000 characters) with HomeKit support. The victim will have to be tricked into accepting an invitation from such a device.
Worse, because HomeKit device names are backed up in iCloud, logging back into the iCloud account associated with the HomeKit device can re-trigger DoS and cause devices to enter an endless reboot loop that can only be stopped with a factory reset.
Initially, back in August 2021, this problem was discovered by information security specialist Trevor Spiniolas. He says that at first the company did not take the bug seriously, and worked on a fix for too long:
Apple has now resolved the issue with the release of iOS 15.2.1 and iPadOS 15.2.1 by adding improved input validation that no longer allows hackers to attack vulnerable devices.
True, according to information security experts, Apple only partially fixed the bug in iOS 15.1 by limiting the length of the name that can be set for a HomeKit device or application. That is, the problem has not yet been completely solved.
In addition, the updates resolve an issue that could prevent Messages from uploading photos sent as an iCloud link, as well as an issue that could cause third-party CarPlay apps to become unresponsive.
You might be interested to know what is New Bluetooth attack BIAS endangers devices with firmware from Apple, Broadcom, Cypress, Intel and Samsung and that Apple Developers Found Third-Party Keyboard Vulnerability in iOS.
User Review( votes)