Recently, security researchers have disclosed a vulnerability in the iOS system, using HomeKit to attack, and Apple has been very slow to fix the vulnerability. According to trevor Spiniolas, a security researcher, if the HomeKit device name is changed to a "very long string" that is set to 500,000 characters in tests, the iOS and iPadOS devices that load the string will be restarted and unusable.
Also, because the name is stored in iCloud and is updated in all other iOS devices that are signed in to the same account, the error can occur repeatedly.
Spiniolas called the vulnerability "doorLock" and claimed that it affected all iOS versions above iOS 14.7 in testing, although it could also exist in all iOS 14 versions.
In addition, while the update in iOS 15.0 /15.1 limits the length of the name that an app or user can set, previous versions of iOS can still update the name. If the error is triggered on an unrestricted version of iOS and shares HomeKit data, then all devices with which the data is shared will also be affected, regardless of version.
This can lead to two situations where a device that doesn't have a Home device enabled in Control Center finds the Home app unusable and crashes. Neither a restart nor an update will resolve the issue, and the restored device will make Home unusable again if it checks in to the same iCloud account.
For iPhones and iPads with Home devices enabled in the Control Center, the default settings when users access HomeKit devices, iOS itself becomes unresponsive. Input becomes delayed or ignored, the device does not respond, and occasionally undergoes a restart.
In this case, restarting or updating the device will not solve it, and the interrupted USB access will basically force the user to restore the device and lose all the local data. However, restoring and signing into the same iCloud account will trigger the error again, with the same effect as before.
Spiniolas believes the problem could be used for malicious purposes, such as introducing the error itself through an app that can access home data. It is also feasible for an attacker to send an invitation to Home to other users, even if the target does not own a HomeKit device.
According to the researchers, by disabling the Home device in the control center, the worst of both cases can be avoided. To do this, open Settings and Control Center, and then set the Toggle of Show Family Controls to Off. Users should also be vigilant about invitations to join other users' home networks, especially those from unknown contacts.
Spiniolas claims that he initially reported the bug to Apple on Aug. 10, and apple is said to be planning to release a security update fixing the bug by the end of 2022. However, Apple allegedly changed its estimate to "early 2022" on December 8.
The researchers wrote: "I don't think the handling of this bug is appropriate because it poses a serious risk to users, and many months have passed without a comprehensive fix." The public should know about this vulnerability and how to prevent it from being exploited, not in the dark."
![The official iOS version 15.2 is coming! Update 10 blockbuster features, these models are recommended to update![fig]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)