This security flaw could disable your iPhone or iPad, but Apple is on it
doorLock bug was discovered six months ago, but Apple has a patch now
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Less than two weeks afterApplewas accused ofbeing reckless over an iOS securityvulnerability, the company has addressed the problem, issuing a patch for iPhone and iPad devices.
The new security update tackles a recently discovered denial of service vulnerability, named “doorLock”. The vulnerability, first uncovered by security researcher Trevor Spiniolas, affects Apple HomeKit, in iOS versions 14.7 through 15.2. HomeKit is a software platform for the creation of smart home apps.
To demonstrate the problem, Spinolas recorded a shortYouTubevideo. In it, he describes how to abuse the flaw, showing that all it takes is for a malicious actor to rename the HomeKit device to something with more than 500,000 characters.
Endless loop of freezes and reboots
An iOS app with access to Home data could, theoretically, change HomeKit device names, even if the targetendpointhas no Home devices added. Given that this is not a “de jure” vulnerability, it’s a big question howantivirusapps would address it. There are nomalwareout there, abusing this flaw.
The device trying to load the long name would just freeze, with the user having no other way but to hard reset it. To add insult to injury, the reset would delete all stored data, and as soon as the device signs back intoiCloudlinked to the HomeKit device, it would freeze all over again.
Spinolas said he notified Apple of the bug in August last year, to no avail. However, Apple has now fixed the issue, in OS 15.2.1 and iPadOS 15.2.1 by adding improved input validation.
All iPad Pro models, all iPhones from the model 6 onwards, all iPad Air devices from the model 2 onwards, all iPads from the fifth generation to newer, all iPad minis, starting from version 4, as well as the seventh generation of iPod touch devices, are now protected.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Via:BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
A new form of macOS malware is being used by devious North Korean hackers
Scammers are using fake copyright infringement claims to hack businesses
England vs Australia live stream: how to watch 2024 rugby union Autumn International online from anywhere
