Security researcher shares HomeKit security bug

A vulnerability in HomeKit has recently been discovered, and one that involves long device names.

Trevor Spiniolas shared a vulnerability in iOS HomeKit to Apple August 2021, particularly an incident where a device name has a ‘long string’, or around 500,000 characters. When this happens, iPadOS and iOS devices can be rendered unusable and rebooted. Furthermore, when the long name is put on iCloud and across other iOS devices, the bug can reappear.

Spiniolas named the vulnerability ‘doorLock’, and mentioned that the bug affects iOS 14.7 and newer through testing. While iOS 15 and 15.1 put a limit on the name, the device could still receive an update from previous versions and might still be affected if it has HomeKit data.

Updating to a newer version or rebooting is not known to resolve the issue. Spiniolas also says that an attacker could send Home invitations and infect the device with the ‘doorLock’ bug even if they don’t have a HomeKit device.

Latest News