Apple today started rolling out iOS 15.2.1 for iPhones and iPads, addressing a security flaw in the HomeKit framework that could be exploited to trigger denial of service and lock users out of their devices.
According to the release notes (pictured below), iOS 15.2.1 is a bug-fix release, addressing an issue with Messages not loading photos sent using an iCloud link as well as a problem with third-party CarPlay apps not responding to input.
But perhaps the more significant bug fix in iOS 15.2.1 is described in the security advisory tucked away at the end of the changelog.
Tracked as CVE-2022-22588, a resource exhaustion issue in the HomeKit framework is finally being addressed, four months after Apple was informed of its existence.
HomeKit lets users configure and control smart-home appliances using Apple devices.
Exploitation of the flaw, which affects most iOS devices in circulation, could be as simple as sending a malicious invite to the victim. A successful attack would freeze the iPhone and trigger a reboot loop, essentially locking the victim out of the devices.
Trevor Spiniolas, the researcher who discovered and reported the bug, expressed deep dissatisfaction with Apple’s sluggish response to his bug report, stressing that his ‘doorLock’ exploit could well be considered a ransomware attack vector for iPhones.
“I believe this issue makes ransomware viable for iOS, which is incredibly significant,” he wrote in a blog post. “Applications with access to the Home data of HomeKit device owners may lock them out of their local data and prevent them from logging back into their iCloud on iOS, depending on the iOS version. An attacker could also send invitations to a Home containing the malicious data to users on any of the described iOS versions.”
“An attacker could use email addresses resembling Apple services or HomeKit products to trick less tech savvy users (or even those who are curious) into accepting the invitation and then demand payment via email in return for fixing the issue,” Spiniolas theorized.
“In regards to Apple’s awareness of the issue, I found their response to be insufficient,” Spiniolas wrote. “Despite them confirming the security issue and me urging them many times over the past four months to take the matter seriously, little was done. Status updates on the matter were rare and featured exceptionally few details, even though I asked for them frequently. Apple’s lack of transparency is not only frustrating to security researchers who often work for free, it poses a risk to the millions of people who use Apple products in their day-to-day lives by reducing Apple’s accountability on security matters.”
iOS 15.2.1 is available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation). To apply the patch, on your iOS device visit Settings -> General -> Software Update and follow the on-screen instructions.