Apple Fixes another Backdoor Flaw that can exhaust iPhones and iPads

Recently, Apple has released a security update to address a constant denial of service (DoS) dubbed doorLock that would mutually disable the iPhones and iPads running HomeKit versions on iOS 14.7 and later.

Homekit is one of the Apple protocols and frameworks that permits iOS and iPadOS users to find and control smart home appliances on the network. As per the company’s explanation in a security advisory issued recently, the doorLock vulnerability tracked as CVE-2022-22588 will clash with the affected iOS and iPadOS devices when processing maliciously designed Homekit accessory names.

Apple has tracked this serious resource exhaustion issue on iOS 15.2.1 and iPadOS 15.2.1 by adding the enhanced input validation which no longer permits the threat actor to disable the vulnerable devices.

Systems that get the security updates recently consist of iPhone 6s and later, iPad Pro (all modes), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch i.e. 7th generation. “Four months ago I discovered and reported a serious denial of service bug in iOS that still remains in the latest release. It persists through reboots and can trigger after restores under certain conditions,” Trevor Spiniolas, the programmer and “beginning security researcher” who spotted and reported the bug.

“All the requirements are default settings. When someone sets up their iOS device, everything is already in order for the bug to work. If they accept a malicious home invitation from there, their device stops working.”

Why has the Update been Postponed since August?

As per our security researchers, Apple has known about doorLock since August 2021 but inserted the security update various times despite repeatedly promising to fix it. They trusted that the flaw is being handled inappropriately as it postures a serious risk to the users and many months have passed without an all-inclusive fix.

Apple-Fixes-another-Backdoor-Flaw-that-can-exhaust-iPhones-and-iPads-image1

The public should be aware of this vulnerability and how to avoid it from being exploited, rather than being kept in the dark. The investigator says the attackers would have to modify the name of a HomeKit device to large strings up to 500,000 characters and trick the target into accepting a Home invitation.

Once the target joins the attacker’s HomeKit network, their device becomes unresponsive and eventually crashes. The only way to recover from such an attack would be to factory reset the disabled device, given that it will once again crash after restarting and signing back into the iCloud account linked to the HomeKit device.

Why Zero-day patches also delayed?

In September, Our software developer also dropped proof-of-concept exploit code for three iOS zero-day flaws after Apple delayed patching and failed to credit him when patching a fourth in July. One month later, with the release of iOS 15.0.2, Apple fixed one of the ‘gamed’ zero-day vulnerabilities reported by our experts.

However, Apple didn’t acknowledge or credit him for the discovery and also asked him to keep quiet and not disclose to others that the company failed to give him credit for the bug. Other security investigators and bug bounty hunters have also gone through similar experiences saying that they have been maintained in the dark for months on end with Apple refusing to reply to their messages.         

Leave a Reply