2 min read

iOS 15.2.1 Fixes ‘doorLock’ HomeKit Flaw and Other Bugs

Filip TRUȚĂ

January 13, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
iOS 15.2.1 Fixes ‘doorLock’ HomeKit Flaw and Other Bugs

Apple today started rolling out iOS 15.2.1 for iPhones and iPads, addressing a security flaw in the HomeKit framework that could be exploited to trigger denial of service and lock users out of their devices.

According to the release notes (pictured below), iOS 15.2.1 is a bug-fix release, addressing an issue with Messages not loading photos sent using an iCloud link as well as a problem with third-party CarPlay apps not responding to input.

But perhaps the more significant bug fix in iOS 15.2.1 is described in the security advisory tucked away at the end of the changelog.

Tracked as CVE-2022-22588, a resource exhaustion issue in the HomeKit framework is finally being addressed, four months after Apple was informed of its existence.

HomeKit lets users configure and control smart-home appliances using Apple devices.

Exploitation of the flaw, which affects most iOS devices in circulation, could be as simple as sending a malicious invite to the victim. A successful attack would freeze the iPhone and trigger a reboot loop, essentially locking the victim out of the devices.

Trevor Spiniolas, the researcher who discovered and reported the bug, expressed deep dissatisfaction with Apple’s sluggish response to his bug report, stressing that his ‘doorLock’ exploit could well be considered a ransomware attack vector for iPhones.

“I believe this issue makes ransomware viable for iOS, which is incredibly significant,” he wrote in a blog post. “Applications with access to the Home data of HomeKit device owners may lock them out of their local data and prevent them from logging back into their iCloud on iOS, depending on the iOS version. An attacker could also send invitations to a Home containing the malicious data to users on any of the described iOS versions.”

“An attacker could use email addresses resembling Apple services or HomeKit products to trick less tech savvy users (or even those who are curious) into accepting the invitation and then demand payment via email in return for fixing the issue,” Spiniolas theorized.

“In regards to Apple’s awareness of the issue, I found their response to be insufficient,” Spiniolas wrote. “Despite them confirming the security issue and me urging them many times over the past four months to take the matter seriously, little was done. Status updates on the matter were rare and featured exceptionally few details, even though I asked for them frequently. Apple’s lack of transparency is not only frustrating to security researchers who often work for free, it poses a risk to the millions of people who use Apple products in their day-to-day lives by reducing Apple’s accountability on security matters.”

iOS 15.2.1 is available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation). To apply the patch, on your iOS device visit Settings -> General -> Software Update and follow the on-screen instructions.

tags


Author



Right now

Top posts

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

April 15, 2022

3 min read
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

April 14, 2022

3 min read
Why and how to hide your IP address while traveling

Why and how to hide your IP address while traveling

April 13, 2022

2 min read
How Bitdefender Can Help Restore Your Privacy in the Digital Age

How Bitdefender Can Help Restore Your Privacy in the Digital Age

April 04, 2022

3 min read
How Strong is VPN Encryption?

How Strong is VPN Encryption?

February 28, 2022

3 min read
Top Three Ways Internet Users Unknowingly Help Cybercriminals

Top Three Ways Internet Users Unknowingly Help Cybercriminals

February 25, 2022

4 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Researchers Find Thousands of Websites that Record Everything You Type Researchers Find Thousands of Websites that Record Everything You Type
Radu CRAHMALIUC

May 16, 2022

2 min read
Ukrainian Citizen Sentenced to Prison for Brute-Forcing Credentials and Selling them Online Ukrainian Citizen Sentenced to Prison for Brute-Forcing Credentials and Selling them Online
Silviu STAHIE

May 13, 2022

2 min read
Mozilla Says Many Health and Prayer Apps Are Pose Security Risks Mozilla Says Many Health and Prayer Apps Are Pose Security Risks
Silviu STAHIE

May 09, 2022

2 min read