Recently, security researchers disclosed a vulnerability in the iOS system, using HomeKit to attack, and Apple has been very slow to fix the vulnerability. Security researcher Trevor Spiniolas said that if the HomeKit device name is changed to a very long string, which is set to 500,000 characters in the test, the iOS and iPadOS devices that load the string will be restarted and become unusable.
In addition, since the name is stored in iCloud and updated in all other iOS devices logged into the same account, the error may occur repeatedly. Spiniolas calls this vulnerability doorLock and claims that it affects all iOS versions above iOS 14.7 under test, although it may also exist in all iOS 14 versions.
In addition, although the update in iOS 15.0/15.1 restricts the length of the name that can be set by the application or the user, the previous iOS version can still update the name. If the error is triggered on an unrestricted iOS version and HomeKit data is shared, all devices with which the data is shared will also be affected, regardless of the version.
This will cause two situations to occur. Devices that do not have the Home device enabled in the control center will find that the Home app is unusable and crash. Restarting or updating will not solve this problem. If the restored device is signed in to the same iCloud account, Home will be unavailable again.
For iPhones and iPads with Home devices enabled in the control center, which are the default settings when users access HomeKit devices, iOS itself becomes unresponsive. Input becomes delayed or ignored, the device does not respond, and occasionally undergoes restarts.
In this case, restarting or updating the device cannot be resolved, and the interrupted USB access basically forces the user to restore the device and lose all local data. However, restoring and signing to the same iCloud account will trigger the error again, with the same effect as before.
Spiniolas believes that this problem may be used for malicious purposes, such as introducing the error itself through an application that can access family data. It is also feasible for an attacker to send home invitations to other users, even if the target does not own a HomeKit device.
According to the researchers, the worst of these two scenarios can be avoided by disabling the Home device in the control center. To do this, open Settings and Control Center, and then set the switch of Show Home Control to off. Users should also be vigilant about invitations to join other users’ home networks, especially those from unknown contacts.
Spiniolas claimed that he initially reported the bug to Apple on August 10, and it is said that Apple plans to release a security update to fix the bug before the end of 2022. However, Apple allegedly subsequently changed its estimate to Early 2022 on December 8.
The researcher wrote: I think the handling of this bug is inappropriate because it poses a serious risk to users, and many months have passed without a comprehensive fix. The public should know about this bug and how to prevent it. It is used, not kept in the dark.