Apple has released security updates to address a persistent denial of service (DoS) called doorLock that would completely disable iPhones and iPads running HomeKit on iOS 14.7 and later.
HomeKit is an Apple protocol and infrastructure that enables iOS and iPadOS users to discover and control smart home devices on their network.
As the company explained in a safety notice released today, the doorLock vulnerability is identified as CVE-2022-22588 will crash affected iOS and iPadOS devices when handling maliciously crafted HomeKit accessory names.
Apple addressed this serious resource depletion issue in iOS 15.2.1 and iPadOS 15.2.1 by adding improved input validation that no longer allows attackers to disable vulnerable devices.
Devices that received security updates today include iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later , iPad mini 4 and later, and iPod touch (7th generation).
“Four months ago, I discovered and reported a serious denial of service bug in iOS that persists in the latest version. It persists on reboots and can trigger after restores under certain conditions,” Trevor Spiniolas, the programmer and “newbie security researcher” who spotted and reported the bug.
“All requirements are default settings. When someone sets up their iOS device, everything is already in order for the bug to work. If he accepts a malicious home invitation from there, his device stops working. “
Correction delayed since August
According to Spiniolas, Apple has known doorLock since August 2021, 2021, but has pushed the security update several times despite repeated promises to fix it.
“I think this bug is being handled inappropriately as it poses a serious risk to users and many months have gone by without a full fix,” Spinolas said.
“The public needs to be aware of this vulnerability and how to prevent it from being exploited, rather than being kept in the dark.”
The researcher says attackers should change the name of a HomeKit device to large strings of up to 500,000 characters and trick the target into accepting a home invitation.
Once the target joins the attacker’s HomeKit network, their device becomes unresponsive and eventually hangs.
The only way to recover from such an attack would be to reset the factory disabled device, as it will freeze again after restarting and reconnecting to the iCloud account linked to the HomeKit device.
Zero-day patches have also been delayed
In September, software developer Denis Tokarev also ditched the proof of concept exploit code for three zero-day iOS flaws on GitHub after Apple delayed the update and failed to credit him during the update. update of a fourth in July.
A month later, with the release of iOS 15.0.2, Apple fixed one of the zero-day game vulnerabilities reported by Tokarev.
However, Apple did not recognize or credit him for the discovery and also asked him to be quiet and not disclose to others that the company had not given him credit for the bug.