If you use an Apple Homekit, you have to be careful now, because a security hole is currently causing a stir. A bug in the Homekit can mean that your iPhones and iPads can no longer be used. The problems with the so-called “DoorLock” do not end here, however, because the error has been known since August 2021 and has now been published by the security researcher Trevor Spiniolas himself.
- A security hole in Apple’s Homekit is currently causing a stir.
- A typographical error can render iPhones and iPads unusable.
- Apple plans an update for the beginning of the year.
With the Homekit from Apple, a lot can be controlled without any problems. However, a security vulnerability has now been published that mainly affects devices that work with iOS 14.7 or higher. Spiniolas found that device names with a long string cause an error that makes the devices unusable. His tests have shown that a sequence of around 500,000 characters paralyzes devices that load them from the Homekit API. Then restarting the devices no longer helps, but the devices have to be completely reset, which results in the loss of personal data.
With iOS 15.0 a limitation of the character string was introduced, but devices that run with iOS 15.2 now also seem to be affected. So if a device with an older operating system loads the long character string into the Homekit API, it is quite possible that the newer devices load this character string and then no longer work.
All iOS versions released from iOS 14.7 have been tested, and the vulnerability exists on all versions. Devices used during testing include an iPhone 7 (iOS 15.2-14.7), an iPad 6 (iOS 15.0 beta and iOS 14.7), and an iPhone XS (iOS 14.7.1 & 14.7). While untested, it is likely that the bug exists on all versions of iOS 14. Source: Trevor Spiniolas
Apple plans to fix the bug at the beginning of the year
If an iOS device name is changed, it will be downloaded and updated by all connected devices – this will trigger the error in the first place and the devices will no longer work. If the devices are not connected via the home data, only the home app will no longer work. However, it is up to you whether you want to separate your home data until the error has been rectified.
In addition to the problem with functionality, there is another danger associated with this security gap. If attackers try to use ransomware to send the data to devices, devices with iOS 14.7, for example, could be rendered unusable by third parties. As a result, you would lose all personal, unsecured data without any action on your part.
I then informed them on December 9th that I planned to publicly disclose this information on January 1st, 2022. I believe this bug is being handled inappropriately as it poses a serious risk to users and many months have passed without a comprehensive fix. Source: Trevor Spiniolas
The security researcher also found the bug in August 2021. Apple has not really responded to the bug since then, which is why Spiniolas decided to go public itself. He himself claims that the error poses a serious risk for users and that he therefore wanted to go public himself.
What do you think of the vulnerability? Is it a Serious Threat or Much Smoke About Nothing? Let us know in the comments!