2 min read

iOS 15.2.1 Fixes ‘doorLock’ HomeKit Flaw and Other Bugs

Filip TRUȚĂ

January 13, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
iOS 15.2.1 Fixes ‘doorLock’ HomeKit Flaw and Other Bugs

Apple today started rolling out iOS 15.2.1 for iPhones and iPads, addressing a security flaw in the HomeKit framework that could be exploited to trigger denial of service and lock users out of their devices.

According to the release notes (pictured below), iOS 15.2.1 is a bug-fix release, addressing an issue with Messages not loading photos sent using an iCloud link as well as a problem with third-party CarPlay apps not responding to input.

But perhaps the more significant bug fix in iOS 15.2.1 is described in the security advisory tucked away at the end of the changelog.

Tracked as CVE-2022-22588, a resource exhaustion issue in the HomeKit framework is finally being addressed, four months after Apple was informed of its existence.

HomeKit lets users configure and control smart-home appliances using Apple devices.

Exploitation of the flaw, which affects most iOS devices in circulation, could be as simple as sending a malicious invite to the victim. A successful attack would freeze the iPhone and trigger a reboot loop, essentially locking the victim out of the devices.

Trevor Spiniolas, the researcher who discovered and reported the bug, expressed deep dissatisfaction with Apple’s sluggish response to his bug report, stressing that his ‘doorLock’ exploit could well be considered a ransomware attack vector for iPhones.

“I believe this issue makes ransomware viable for iOS, which is incredibly significant,” he wrote in a blog post. “Applications with access to the Home data of HomeKit device owners may lock them out of their local data and prevent them from logging back into their iCloud on iOS, depending on the iOS version. An attacker could also send invitations to a Home containing the malicious data to users on any of the described iOS versions.”

“An attacker could use email addresses resembling Apple services or HomeKit products to trick less tech savvy users (or even those who are curious) into accepting the invitation and then demand payment via email in return for fixing the issue,” Spiniolas theorized.

“In regards to Apple’s awareness of the issue, I found their response to be insufficient,” Spiniolas wrote. “Despite them confirming the security issue and me urging them many times over the past four months to take the matter seriously, little was done. Status updates on the matter were rare and featured exceptionally few details, even though I asked for them frequently. Apple’s lack of transparency is not only frustrating to security researchers who often work for free, it poses a risk to the millions of people who use Apple products in their day-to-day lives by reducing Apple’s accountability on security matters.”

iOS 15.2.1 is available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation). To apply the patch, on your iOS device visit Settings -> General -> Software Update and follow the on-screen instructions.

tags


Author



Right now

Top posts

What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

June 22, 2022

1 min read
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Sophisticated Smishing Attack on Twilio Leads to Employee Credential Leak and Data Breach Sophisticated Smishing Attack on Twilio Leads to Employee Credential Leak and Data Breach
Silviu STAHIE

August 09, 2022

1 min read
Attackers Hit German Chambers of Industry and Commerce; All Digital Services Down Attackers Hit German Chambers of Industry and Commerce; All Digital Services Down
Silviu STAHIE

August 05, 2022

1 min read
Slope Wallets Blamed for $6 Million Solana Hack Slope Wallets Blamed for $6 Million Solana Hack
Silviu STAHIE

August 04, 2022

1 min read