Jump to content
  • 5 months on, Apple has yet to fix iOS bug that sends devices into a crash spiral

    Karlston

    • 479 views
    • 3 minutes
     Share


    • 479 views
    • 3 minutes

    Denial-of-service vulnerability can be triggered by sending a malicious HomeKit invite.

    Apple has been taking its time fixing an iOS bug that makes it easy for miscreants to completely disable an iOS device unless the victim performs a factory restore and follows other cumbersome steps, a researcher said.

     

    HomeKit is an Apple-designed communication protocol that allows people to use their iPhones or iPads to control lights, TVs, alarms, and other home or office appliances. Users can configure their devices to automatically discover appliances on the same network, and they can also share those settings with other people so they can use their own iPhones or iPads to control the appliances. The sharing feature makes it easy to allow new people—say, a housesitter or babysitter—to control a user’s appliances.

     

    Trevor Spiniolas, a self-described programmer and “beginning security researcher,” said recently that a bug in the feature allows someone to send an iOS device into an unending crash spiral. It can be triggered by using an extremely long name—up to 500,000 characters in length—to identify one of the smart devices and then getting a user to accept an invitation to that network.

     

    As the demonstration videos below show, the device slowly becomes unresponsive until it eventually seizes up completely. Rebooting the device doesn’t help. By the time the login screen appears, it’s impossible to enter a passphrase. The only thing left to do is to perform a factory restore. And even then, once the device is restored, it will once again become unresponsive as soon as it logs back into the user’s iCloud account during setup.

     

    HomeKit Denial of Service Vulnerability (Setup after Restore)

     

    HomeKit Denial of Service Vulnerability (Via Home Invitation)

     

    Spiniolas said that he notified Apple of the bug in August and received a response saying that it would be fixed by the end of the year. Later, the researcher said, Apple said the fix would come in early 2022. That’s when he told the company he planned to disclose the bug publicly.

     

    “I believe this bug is being handled inappropriately as it poses a serious risk to users and many months have passed without a comprehensive fix,” he wrote. “The public should be aware of this vulnerability and how to prevent it from being exploited, rather than being kept in the dark.”

     

    The researcher said Apple recently updated iOS in an attempt to mitigate the problem. The patch limits the number of characters in device names. But that does nothing to prevent an attacker from running an earlier version that allows excessively long device names and then getting someone to accept an invitation. Even if the receiver is running the latest iOS version, the device will be completely locked up.

     

    This denial-of-service bug is relatively tame when compared to the zero-click vulnerabilities that frequently allow attackers to execute malicious code on iPhones. But if Apple wants to encourage users to trust their iOS devices, it really ought to fix this bug. Apple representatives didn’t respond to an email seeking comment for this article.

     

     

    5 months on, Apple has yet to fix iOS bug that sends devices into a crash spiral


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...