With HomeKit, Apple introduced a new control center just in time for the release of iOS 11 a few years ago. It was supposed to simplify the operation of the iPhone itself, but also of connected smart devices. Now, however, the feature seems to cause serious problems on the iPhone and iPad. A security vulnerability can render the devices temporarily unusable. The only remedy then is a costly reset.
Long-lasting security gap
The problem is by no means new for Apple. Quite the contrary. The company from California has already been aware of the security gap for over four months. Now the discoverer of the problem, Trevor Spiniolas, has obviously had enough and is turning to the public. He has given the gap the pithy term “Doorlock” without further ado. But what exactly is the problem? Spiniolas describes it as follows:
“If the name of a Homekit device is changed to a long string (500,000 characters in my tests), any device with an affected iOS version that loads the string becomes unusable.”
The IT security researcher describes that in this case even a simple reboot would not help. This effectively forces you to perform a complete reset of the system. This is not only costly, but can also mean a significant loss of data under certain circumstances. Especially people who do not rely on a data backup in the iCloud would have to reckon with this. Once you have performed a reset, you also have to be careful not to perform the immediate login via iCloud, according to Spiniolas. Otherwise, the device could become unusable again.
Affected all iOS and iPad OS versions
If it is the long device name that triggers the problem, the question arises about a simple limitation. And this is something Apple has actually introduced under iOS 15, according to Spiniolas. Here, each user can set the maximum length of a device name under the Homekit app. What applies to the latest iOS version, however, does not apply to iOS 14 and older. Accordingly, problems can still occur with newer devices, at least in theory. If an iPhone with iOS 14 or older has a device name that is too long, the new iPhone with iOS 15 will also be triggered by the security vulnerability when it is accessed. This scenario is not quite so far-fetched, as the IT expert makes clear:
“When the name of a Homekit device is changed, the new name is stored in iCloud and updated on all other iOS devices that are logged in with the same account when Home Data is enabled”
Flaw to be fixed soon
Of course, public pressure on Apple has increased immensely now that the security researcher has made his discovery public. Therefore, the company also wants to immediately deliver a corresponding update of its Homekit app. It should be ready by the beginning of this year. If Spiniolas has his way, a fix for the problem can’t come fast enough. After all, the security gap also opens the door for criminals. Here, he cites the following example:
“An attacker could also send Home invitations with the malicious data to users with one of the iOS versions described, even if they don’t have a Homekit device.”
Apple has not responded
Given the scope of the vulnerability, it’s almost shocking that Apple didn’t respond sooner. Spiniolas himself says that he informed the company about the issue he discovered as early as last August. The tech company then vowed to fix the bug within the same year. When it became clear that they would not reach that goal, Apple turned to the security researcher again and announced that a fix was not expected until 2022. In the course of this, Spiniolas announced that he would go public if Apple did not take care of a security update before then. Now he followed up his words with action and warned Apple users. With this, the iPhone inventors from California once again underline why they and their update policy are often criticized.
No replies yet
Neue Antworten laden...
Neues Mitglied
Beteilige dich an der Diskussion in der Basic Tutorials Community →