Apple’s iOS is one the platforms that offers ironclad security to the users. Apple routinely scans its platform for vulnerabilities and promptly fixes them if it finds any. But now, a new report says that the company has failed to fix an iOS bug that makes iPhones vulnerable to ransomware attacks. What’s more? Apple has reportedly known about the issue since August last year and yet it has failed to fix the bug. Also Read - Your next gaming laptop, PC will be more expensive to buy: Here's why
According to security researcher Trevor Spiniolas, a persistent denial of service (DoS) vulnerability called ‘Door Lock’ has been discovered in the Apple HomeKit. This vulnerability is affecting iOS 14.7 through iOS 15.2. The researcher says that he first reported the issue to Apple on August 10, 2021. At the time, the company had told the researcher that the bug will be fixed in an update before 2022. But now, the company has reportedly revised its estimate to early 2022. Also Read - iPhone SE+ or iPhone SE 3? Here’s what we know about the next affordable iPhone
What is the iOS bug and what does it do?
Spiniolas in his blog post detailing this vulnerability explained that when an iPhone user changes the name of a HomeKit device and signs back into the iCloud account used with that HomeKit device, one of the two things can occur. If the user hasn’t enabled any home devices in the Control Center, the Home app will crash upon launching. The researcher says that rebooting or updating the device does not mitigate this issue. If the user signs back into the same iCloud account when the device is restored, the Home app, rendering the interface unusable again. Also Read - Yu-Gi-Oh! Master Duel released silently, brings in cross-play and cross-save support
Alternatively, if the device does have Home devices enabled in the Control Center, iOS will become unresponsive. Spiniolas in his blog said that neither rebooting nor updating the device helps in resolving the issue. “Since USB communication will no longer function except from Recovery or DFU mode, at this point the user has effectively lost all local data as their device is unusable and cannot be backed up,” he wrote in the post.
Simply put, as long as the users are signing back in the same iCloud account linked to the data, the bug will be triggered with the same effects.
To make matters worse, the researcher says that attackers can benefit from this situation as they will be able to send invitations to a Home device containing malicious data to users even if they don’t have a connected HomeKit device. “An attacker could use email addresses resembling Apple services or HomeKit products to trick less tech savvy users (or even those who are curious) into accepting the invitation and then demand payment via email in return for fixing the issue,” he added in the blog.
How can I protect myself?
Apple is working on fixing this issue. In the meantime, the security researcher has suggested two tricks to safeguard your data. Users who are unable to install the testing app should try to restore the affected device from Recovery or DFU Mode and then set up the device as they normally would without signing into the iCloud account. Once they are done setting up the device, they should disable the Home switch in the iCloud setting by logging into the account. This would essentially prevent the iClould and the connected Home device to function without accessing the Home data.
Alternatively, users who are able to access the testing app should press the back button and then press Control Center settings again to reload the page, repeating it until they see the “Show Home Controls” setting. This should be done after they have set up the device and logged in the iCloud account. Users should then disable the ‘Show Home Controls’ settings, following which they should install the test app and run it with a short string to rename all the linked Home devices.