Posted on January 6, 2022, 12:45 PM
A security researcher called Trevor Spiniolas has just released information about a bug that he says has existed in Apple's iOS operating system since at least version 14.7.
The bug affects the Home app, Apple's home automation software that controls home devices - webcams, doorbells, thermostats, light bulbs, etc. – that support Apple's HomeKit ecosystem.
Mr Spiniolas dubbed the bug doorLock, giving it both a logo and a dedicated webpage, saying that although he disclosed it to Apple in August 2021, the company's attempts to fix it have been incomplete so far, and that the deadline he had set of January 1, 2022 to "live" the details of the flaw has now passed:
I believe this bug is being handled improperly as it poses a serious risk to users and several months have passed without a full fix. The public should be made aware of this vulnerability and how to prevent it from being exploited, rather than being kept in the dark.
It's up to you to decide if this bug really presents a "serious risk", but in this article we explain how to fix the problem.
The good news is that this bug does not allow attackers to spy on your phone (or HomeKit devices), steal data such as passwords or personal messages, install malware, accumulating fraudulent online charges or interfering with your network.
There are also easy ways to avoid getting bitten by this virus until Apple comes up with a complete solution.
The bad news is that if an attacker tricks you into triggering the bug, you may end up with a phone so unresponsive that you'll have to reset the firmware to gain access to the device again.
And, as you probably already knew – or, if you didn't, you know now! – using Device Recovery or DFU (a direct firmware update, which consists of completely resetting the firmware of a recalcitrant iDevice via a USB cable) first automatically erases all your personal data.
Erasing your data on device reset is a feature, not a bug: it prevents thieves from stealing your phone, performing a hard reset and DFU, then reading the old data of the device they just 'recovered'. Erasing your data is fast and reliable because Apple mobile devices always encrypt your data, even if you don't set your own lock code, using a randomly chosen passphrase stored in a secure storage. So just clearing that passphrase from the device will render all your data unusable at once, without having to wait for all the flash memory on the device to be overwritten and without having to wonder if any data not encrypted have been forgotten.
What devices are affected?
Spiniolas doesn't say it, but we assume this same bug is present in iPadOS, which shipped separately from iOS since version 13, but still with a corresponding version number. See the article: Investing in Ripple crypto: should you buy XRP right now?.
We also don't know how far back this bug goes: as we mentioned above, Spiniolas says "from iOS 14.7", which we believe is the first version he was able to test. .
Apple doesn't allow iPhones and iPads to be upgraded, to prevent hackers from reverting to known-flawed versions of iOS in an effort to reintroduce exploitable security flaws.
Related to this article:Japanese toaster company launches most unique smartphone of the yearWhat is the cause of the bug?
According to the description given by Spiniolas, the bug triggers if Apple's Home app encounters a HomeKit device under its care with an enormously long name, say 90,000 characters or more. Related: Best Windows 10 VPNs for PC in 2021.
This makes this bug look like an old fashioned buffer overflow, where more data is being written to memory than was originally allocated in the worst case, causing the offending program to crash at best, and at worst pushing him to behave in a controllable way.
The first result – an outright crash – usually leads to a denial of service (DoS) bug, in which attackers can deliberately crash an application, possibly repeatedly, to cause inconvenience or trouble.
This latter outcome, where attackers retain sufficient control over the crash to completely take control of the buggy program and replace the running program with untrusted software of their choice, is known as code execution. remotely (RCE).
RCE is typically used to implant spyware or malware, and is clearly a far greater danger than DoS.
As of yet, there's no indication that Spiniolas' crash could be reliably used for a full RCE exploit, or even that it could lead to an RCE at all.
But the fact that cybercriminals now know where to start looking makes this bug doubly worth avoiding.
How is the bug triggered?
If you deliberately rename one of the home devices on your HomeKit network to have a name of around 100,000 characters or more (Spiniolas variously used 500,000 and 90,000 characters in his experiments), the Home app will apparently hang when it next attempts to process the oddly named device, and eventually crashes. See also: Barbie Fashionista Dressing Deluxe for less than 70 euros on Black Friday!.
According to Spiniolas, Apple recently made a fix to the Home app to prevent renaming devices to have absurdly long names.
But the fix apparently doesn't prevent the latest version of the app from reacting badly to devices that already have names that are too long, and obviously doesn't prevent miscreants from using devices that haven't been patched to catch applications that have been.
Spiniolas is unclear on this issue, but we inferred from his report that although unpatched versions of the Home app sometimes crash when trying to set an extra-long HomeKit device name, they do not crash. always, or only crash after the extra-long name has been applied. Spiniolas also showed how to create a unique iOS app that you can install locally on your own device, using an Apple developer account, to rename HomeKit devices in an unregulated way, whether your device is patched or not. So even if you're not able to define ultra-long HomeKit device names yourself, you should assume that attackers can.
Problems with the control center
Unfortunately, says Spinioloas, if you've enabled the Home app in Apple's Control Center (the always-available menu system that you can bring up at any time by swiping from the top or bottom of screen, depending on your iPhone version), the app will automatically load in the background each time you start your phone.
Related to this article:IPhone 13 Pro: Apple's Latest Beta Fixes Macro Mode ConfusionThis means that your device may end up in a permanent "lock-crash-try-repeat-lock-crash-ad-infinitum" loop that renders it unusable before you have time to access the Settings menu and remove Home from Control Center.
You can regain control of Control Center by accessing the Settings app, but you must first regain control of Control Center in order to access the Settings app.
This is why Spiniolas claims that the only way out of this dilemma is to perform a Recover or DFU on the unresponsive device.
As this deletes all your personal data, the Home app will no longer have any HomeKit device names to display until you log into your iCloud account for the first time and your HomeKit details are downloaded back to your phone. .
This gives you the option, before your phone is presented with HomeKit device names that cause collisions, to go to the Settings app and remove the Home app from the Control Center screen.
To rename offending devices to safely regain control, Spiniolas suggests installing a custom app (he offers sample code you can use "at your own risk" on his GitHub page) at using an Apple Developer account and use this app to perform the renaming.
What to do ?
We consider it extremely unlikely that you'll inadvertently trigger this bug on your own HomeKit network, given that it's unlikely that you'll mistakenly copy-paste a nonsensical device name into the Home app and press deliberately on [Save] to integrate this weird name into your HomeKit configuration.
So the most likely way to get rid of you is either...
In other words, it is easy to mitigate this problem:
Next steps
Not being home automation enthusiasts ourselves, we don't have an iCloud account or a HomeKit network to practice on.
Therefore, we cannot tell you if there is a way to manage HomeKit devices from your browser, or from a non-Apple device, which would avoid the flawed Home app. …