web analytics
Home » Technology » HomeKit and iOS vulnerability: Long names can be dangerous

HomeKit and iOS vulnerability: Long names can be dangerous

Security researchers warn of a security flaw in iOS that HomeKit uses as an attack vector. The vulnerability was reported months ago – but Apple has not yet done anything to fully protect its users. Therefore, the discoverers of the security gap have now come to the public and explained the trick attackers can use to access iOS devices via AppleInsider. The problem lies in Apple’s smart home platform. According to the security researchers, it is tricked with a very long device name. HomeKit is having trouble processing the string, which causes the executing devices, such as an iPad or iPhone, to restart.

According to security researcher Trevor Spiniolas, iOS and iPadOS devices that load this string can be rendered unusable if a HomeKit device name is changed to a “very long string”. In his tests, he used names with 500,000 characters. Also, because the name is stored in iCloud and updated on all other iOS devices signed in with the same account, the error can occur repeatedly. Spiniolas has called the bug “doorLock” and claims it affects all iOS versions from iOS 14.7 onwards in the test, although it is likely also present on all previous iOS 14 versions.

Gateway to all iOS 14 devices

He had already sent his findings to Apple in August 2021. Since the update to iOS 15 or newer, the length of a name that an app or a user can define is limited. However, this does not automatically secure all iOS 15 users. If the error is triggered on an iOS version without the character limit and HomeKit data is shared, all devices that the data is shared with will also be affected, regardless of the OS version. “I believe this bug is being treated inappropriately because it poses a serious risk to users and many months have passed without a comprehensive solution,” the researcher writes. “The public should be aware of this vulnerability and how to prevent it from being exploited instead of being left in the dark.” Apple is said to have planned a bug fix but has not yet released an update. Apple, iPhone 13 Pro, Apple iPhone 13 Pro.