White Hat Institute

The “doorLock” denial-of-service issue in Apple’s HomeKit makes iOS vulnerable

HomeKit apple
HomeKit apple

Apple HomeKit has a new recurring denial of service weakness called ‘doorLock,’ which affects iOS 14.7 through 15.2.

Apple HomeKit is a software framework that enables iPhone and iPad users to operate smart home products from their phones and tablets. Apple has been aware of the problem since August 10, 2021, according to Trevor Spiniolas, the security analyst who made the information available to the public. Despite Apple’s continuous promises to address it, the researchers noted that the security patch has been pushed farther and further, and the issue remains unaddressed.

An adversary would use a sequence longer than 500,000 characters in the name of a HomeKit device to activate ‘doorLock.’ Spinolas has produced a proof-of-concept hack in the form of an iOS app that has accessibility to Home information and can alter HomeKit gadget names to demonstrate the doorLock vulnerability. Even though the target user hasn’t connected any Home devices to HomeKit, creating and receiving an invitation to do so presents an exploitation pathway.

When trying to load the big string, a phone running an insecure iOS version will be forced into a denial of service (DoS) condition, with a hard reset being the only way out. Restarting the phone, on the other hand, will erase all stored information, which will only be retrieved if you have a backup. To complicate things further, the problem will be re-triggered once the phone restarts and the user registers back into the iCloud account associated with the HomeKit device.

“A limitation on the length of the name an app or user can set was implemented in iOS 15.1 (or probably 15.0),” Spiniolas adds in his blog post. “The implementation of a local size limit on renaming HomeKit devices was a small fix that eventually lacks to address the main issue, which is how iOS handles HomeKit device names.” “If an attacker wanted to take advantage of this flaw, they’d be considerably more likely to use Home invitations rather than an app, because invitations don’t require the user to own a HomeKit device.”

The consequences of this attack vary from an inoperable device that restarts continuously to the inability to take an iCloud backup because logging back into the online backup services re-triggers the issue. This attack might be exploited as a ransomware tool, encrypting iOS devices and requesting a ransom payment to restore the HomeKit device to an acceptable string length, according to the researcher.

What you should do to safeguard yourself

It’s important to note that the problem can only be abused by someone who has accessibility to your ‘Home’ or who accepts an invitation to one manually. However, because there is no effective way to restore access to local information after ‘doorLock’ has been initiated, users should concentrate their efforts on protection. Be wary of unsolicited invitations from email accounts that seem like Apple services or HomeKit devices.

If you’ve already suffered data loss through the iCloud, follow these three steps to recover your files:

Restore the device from Recovery or DFU Mode if necessary. Set up the device normally, but don’t login into your iCloud account. After you’ve completed the setup, go to settings and sign in to iCloud. Disable the “Home” toggle promptly after doing so. Without access to Home data, the device and iCloud should now work properly.

According to the researcher, Apple’s most recent estimate for resolving the flaw is “early 2022,” which will be accomplished via a future security update.