If you're using Apple Homekit, you need to pay close attention, because a security vulnerability is causing quite a stir at the moment. Due to a bug in the home automation system, iPhones and iPads can be bricked. The problems around the so-called "DoorLock" doesn't stop there, however, because the error is already known since August 2021 and was now published by the security researcher Trevor Spiniolas.
- A security flaw in Apple's Homekit is currently causing quite a stir.
- iPhones and iPads can be rendered unusable by a font flaw.
- Apple is planning an update for early this year.
With Apple's Homekit, many things can be controlled without any problems. However, a security flaw has now been published that primarily affects devices running iOS 14.7 or later. Spiniolas found that device names with a long string cause a bug that renders the devices unusable. His tests showed that a string of around 500,000 characters will cripple devices that load them from the HomeKit API. At that point, rebooting the devices won't help; instead, the devices will have to be completely reset, resulting in the loss of personal data.
With iOS 15.0, Apple implemented a limit to the string, but devices running iOS 15.2 also seem to be affected. So if a device running an older operating system loads the long string into the HomeKit API, then the newer devices can also load that string and subsequently stop working.
"All iOS versions released from iOS 14.7 have been tested, and the vulnerability exists on all versions. Devices used during testing include an iPhone 7 (iOS 15.2-14.7), an iPad 6 (iOS 15.0 beta and iOS 14.7), and an iPhone XS (iOS 14.7.1 & 14.7). While untested, it is likely that the bug exists on all versions of iOS 14."
Apple plans to fix the bug early this year
When an iOS device name is changed, it is downloaded and updated by all connected devices - this is what triggers the bug in the first place and causes the devices to stop working. If the devices are not connected via Home Data, then only the Home app will stop working. Whether or not you choose to disconnect your Home Data until the bug is fixed, however, is up to you.
There is another danger from this vulnerability besides the functionality issue. Should attackers try to send the data to devices with a ransomware, then devices with iOS 14.7, for example, could be rendered unusable by third parties. This would result in the loss of all personal, unsaved data without any action on your part.
"I then informed them on December 9th that I planned to publicly disclose this information on January 1st, 2022. I believe this bug is being handled inappropriately as it poses a serious risk to users and many months have passed without a comprehensive fix."
The security researcher found the bug back in August 2021. Apple hasn't really responded to the bug since then, which is why Spiniolas now decided to go public. He claims that the bug poses a serious risk to users' devices and that's why he disclosed the bug.
What do you think of the security flaw? Is it a serious threat or nothing to really worry about? Let us know in the comments!