A rookie security researcher claims to have discovered a potential ransomware attack vector for iPhones and iPads that exploits a weakness in Apple’s HomeKit framework.
He calls the exploit ‘doorLock’ and says any iPhone or iPad running iOS 14.7 through iOS 15.2 is vulnerable, with older iOS 14 releases likely affected as well.
Trevor Spiniolas came out with his findings Jan. 1, four months after he notified Apple of the flaw. He claims he went public with the flaw because the company was slow to respond, even though he warned the firm weeks ago that he would speak up about it.
A dead-simple exploit
The self-described ”beginning security researcher” has released a proof-of-concept (PoC) for a denial of service attack that essentially freezes the target device and sends it into a reboot loop, locking victims out of their data. Even if the device is rebooted, the bug is triggered automatically as the device tries to re-authenticate with their Apple account.
“When the name of a HomeKit device is changed to a large string (500,000 characters in testing), any device with an affected iOS version installed that loads the string will be disrupted, even after rebooting,” Spiniolas writes on his blog.
“Restoring a device and signing back into the iCloud account linked to the HomeKit device will again trigger the bug,” he explains.
Apple’s HomeKit framework lets users configure and control smart home appliances using iGizmos. Perhaps key to the bug uncovered by Spinolas, HomeKit is designed to automatically discover such devices and configure them.
There are two ways to exploit the weakness, the simplest of which affects most configurations out there. All an attacker has to do is get the victim to accept a malicious invitation with the long name string, which causes the devices to freeze and go into a reboot cycle that fails to get past the lock screen. Spiniolas demonstrates this real-world attack scenario in a PoC video posted to his blog (embedded below).
“This cycle will repeat indefinitely with an occasional reboot,” the programmer explains. “Rebooting, though, does not resolve the issue, nor does updating the device. Since USB communication will no longer function except from Recovery or DFU mode, at this point the user has effectively lost all local data as their device is unusable and cannot be backed up. Critically, if the user restores their device and signs back into the previously used iCloud linked to the data, the bug will once again be triggered with the exact same effects as before.”
A potential ransomware vector for iOS
Spiniolas believes his findings are grounds for a viable ransomware vector – a rare notion in the context of iOS hardware.
“Because of these effects, I believe this issue makes ransomware viable for iOS, which is incredibly significant,” Spiniolas stresses.
The researcher theorizes that an attacker could even try to spoof Apple services or HomeKit products to dupe less tech-savvy users and demand payment to fix the issue.
Mitigations (caution!)
With the cat out of the bag, someone out there could well try to exploit the flaw for criminal profit – or even just for fun.
There is currently no reliable method to regain access to local data if the attack has already unfolded, meaning it’s probably best not to try this experiment yourself. In any case, Spiniolas says users can at least regain access to the iCloud account linked to their data by following these steps:
Restore the affected device from Recovery or DFU Mode
· Set up the device as normal
· Do NOT sign back into the iCloud account
· After setup is finished, go to Settings and sign into your Apple ID
· Immediately tap iCloud and disable ‘Home’ to prevent syncing up with the iCloud-stored Home data
The simplest way to protect yourself from the worst of doorLock’s effects is to disable Home devices in Control Center, according to the researcher.
As always, it’s recommended that users keep regular backups of their data (preferably offline as well) to stay on the safe side no matter what security threats may be haunting the landscape.