A persistent denial-of-service (DoS) vulnerability has been discovered in Apple’s iOS mobile operating system that’s capable of sending affected devices into a crash or reboot loop upon connecting to an Apple Home-compatible appliance.
The behavior, dubbed “doorLock,” is trivial in that it can be triggered by simply changing the name of a HomeKit device to a string larger than 500,000 characters.
This causes an iPhone or iPad that attempts to connect to the device to become unresponsive and enter an indefinite cycle of system failure and restart that can only be mitigated by restoring the affected device from Recovery or DFU (Device Firmware Update) Mode.
HomeKit is Apple’s software framework that allows iOS and iPadOS users to configure, communicate with, and control connected accessories and smart-home appliances using Apple devices.
“Any device with an affected iOS version installed that loads the string will be disrupted, even after rebooting,” security researcher Trevor Spiniolas said. “Restoring a device and signing back into the iCloud account linked to the HomeKit device will again trigger the bug.”
images from Hacker News