Apple has fixed a security vulnerability in iOS and iPadOS that could be used to launch persistent denial of service (DoS) attacks through HomeKit.
technology giant iOS 15.2.1 and iPadOS 15.2.1 Released on Wednesday to fix the so-called “doorlock” flaw, which was disclosed earlier this month Security researcher Trevor Spiniolas, The bug affects iPhones and iPads running iOS 14.7 to iOS 15.2 and is triggered through HomeKit, Apple’s smart home platform that lets Apple users configure, communicate, and control their smart home devices.
To exploit the bug, an attacker would have to convert a HomeKit device name into a string longer than 500,000 characters. When that string is loaded onto a user’s iPhone or iPad, the device’s software will be thrown into a denial of service (DoS) state, which requires a forced-reset to unfreeze. But once the device reboots and the user signs back into the HomeKit-linked iCloud account, the bug pops up again.
Even if a user doesn’t have a device added to HomeKit, an attacker can create a fake home network and trick a user into joining via a phishing email. Worse, Spiniolas warned that attackers could take advantage of the DoorLock vulnerability to launch ransomware attacks against iOS users, locking devices into an unusable state, and trying to set HomeKit devices back to a secure string length. Can demand payment of ransom.
Spiniolas said Apple promised to fix the issue in a security update last year, but it was pushed back to “early 2022”, prompting Spiniolas to disclose the bug that delayed users. may be at “serious risk”.
“Despite him confirming the security issue and urging him several times over the past four months to take the matter seriously, very little was done,” he wrote. “Status updates on the matter were rare and showed exceptionally few details, even though I asked them frequently.”
“Apple’s lack of transparency is not only frustrating for security researchers who often work for free, it also poses a risk to the millions of people who use Apple products in their daily lives by undermining Apple’s accountability on security matters.” We do.”
The update can be downloaded now and is available for all iPad Pro models from iPhone 6s and later, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) is available.