A security update for iOS contains a patch to address a denial of service (DoS) vulnerability within the framework of the HomeKit software, after a researcher claimed that Apple had known about this bug for months.
The update (iOS 15.2.1) is now available for all supported iPhone and iPad devices. In its report, Apple only describes these flaws as a “resource depletion bug” that causes the device to crash when processing specially crafted HomeKit accessory names.
The sudden appearance of this update a couple of weeks after Trevor Spiniolas publicly disclosed the flaw in HomeKit confused the users, as the expert warned that the bug could be exploited to launch ransomware-like attacks on the affected iPhone/iPad.
The expert found that when the name of an Apple HomeKit device is changed to too large a string of characters, any iOS device that loads the string will face an interrupt condition. To make matters worse, resetting the affected device and logging back into the iCloud account linked to the HomeKit device will re-enable the error.
Spinolas suggested that this bug could trigger a campaign of extortion attacks against iOS device users: “Apps with access to homekit device owners’ startup data can lock them out of their local copies and prevent them from logging back into their iCloud on iOS,” the researcher states.
The expert also believes that malicious hackers could use email addresses intentionally similar to those used by Apple services to trick users into handing over sensitive information. Finally, Spinolas says it first reported this security issue to Apple in early August last year, and had since pressured the company to issue an update.
Users of iOS devices are advised to install the latest version available as soon as possible.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.