Apple’s smart home solution HomeKit is said to have a weak point. The vulnerability discovered by security researcher Trevor Spiniolas can be exploited via the HomeKit interface. He has published a detailed record under the topic doorLock here, iOS 14.x up to the current iOS 15 .2 should be affected.
If an attacker creates a HomeKit device with an extremely long name, including 500,000 characters, an iOS device will likely freeze – until it is reset and restored. The problem with that? Restoring a device and re-signing it to the iCloud account associated with the HomeKit device will trigger the error again.
Another problem: An attacker could also send invitations to a household that contains malicious data to users, even if they do not have a HomeKit device. The error should be fixed soon: According to Spiniolas, it was first reported on August 10th and is still included in iOS 15 .2 (attackers probably need iOS 14.x because iOS 15 no longer accepts names that long).
Apple said it intends to fix the bug in a security update before 2022, but has failed to provide an actual solution. On December 8, Apple changed the estimate to early 2022 according to the report. Spiniolas preferred not to give Apple another deadline and made the mistake public.
His statement about it? Apple’s lack of transparency is not only frustrating for security researchers, who often work for free, but it also puts the millions of people who use Apple products in their everyday lives at risk, as Apple is less responsible for security issues.