New zero day attack on iPads and iPhones turns them into unusable objects

Trevor Spiniolas is a renowned mobile security researcher who has reported various issues and bugs affecting multiple commonly used technological devices. In his latest report, the expert details the finding of a severe vulnerability affecting Apple HomeKit for iOS versions between 14.7 and 15.2, which could lead to a persistent denial of service (DoS) scenario on affected devices.

The affected software is a framework available on iOS/iPadOS that allows users to configure and control various smart machines across their Apple devices, making it easier to create a fully connected environment. Spiniolas believes Apple was aware of the bug since mid-2021, though no mechanisms have been put in place to address it so far.

The expert adds that threat actors could trigger the vulnerability by renaming a HomeKit device to a string of more than 500,000 characters, which would force the restart of the affected iPad/iOS devices. The flaw can only be exploited by malicious hackers with access to the victim’s settings.

To do this, Spiniolas created an iOS app that has access to Home data and changes the names of HomeKit devices.

To solve the problem, it is necessary to force a restart of the device that will cause all the stored data to be deleted and subsequently restore the device using a backup, in addition it is necessary to highlight that restoring a device and logging back into the iCloud account linked to the HomeKit device will trigger the error again.

On the possible malicious use of this bug, Spiniolas mentioned that ransomware operators could exploit the flaw to lock a vulnerable device: “An application with access to the startup data of HomeKit users could lock local data and prevent the victim from accessing their backups,” adds the expert.

You can mitigate the risk of exploitation by disabling home devices in the iOS Control Center, as well as staying alert to any invitations to join other users’ home network.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.