A security study called Trevor Spiniolas just released information about the error He claimed It has existed in Apple’s iOS operating system since at least version 14.7.
The error affects Family App, Apple’s home automation software, which allows you to control Apple-enabled home devices (webcams, doorbells, thermostats, light bulbs, etc.) Home kit ecosystem.
Spiniolas called this error Door lock, Giving it a logo and a dedicated webpage, claiming that although he disclosed it to Apple in August 2021, the company’s attempts to patch it have not been completed so far, and his designated “going online” deadline is January 2022 1st and the defects of the details are there Now passed:
I think this error has been handled improperly because it poses a serious risk to users, and months have passed without a comprehensive fix. The public should be aware of this vulnerability and how to prevent it from being exploited, rather than being kept in the dark.
You have to decide for yourself whether this error is true “Constitutes a serious risk”, But in this article, we will tell you how to deal with the problem anyway.
The good news is that this vulnerability will not allow attackers to snoop on your phone (or your HomeKit device), steal data such as passwords or personal information, install malware, charge fraudulent online fees, or interfere with your network.
In addition, there are some easy ways to avoid getting bitten by this error in the first place while you wait for Apple to propose a complete fix.
The bad news is that if an attacker did trick you into triggering the vulnerability, you might end up with a phone that is so slow that you have to do the following Firmware reset Go back to the device.
And, as you might already know-or, if you don’t, you know it now! – Use device recovery or DFU (a Direct firmware update, In which you completely reinitialize the firmware of the stubborn iDevice via a USB cable) will automatically erase all your personal data first.
Wiping your data while reinitializing the device is a feature, not a bug: it prevents thieves from simply grabbing your phone, performing a hard reset and their own DFU, and then recovering from the device they just “restored” “Read old data”. Wiping your data is fast and reliable, because Apple mobile devices always encrypt your data with a randomly selected password in secure storage, even if you don’t set your own lock code. Therefore, simply erasing this password from the device is enough to make all your data useless at once, without waiting for all flash storage in the device to be overwritten, and without worrying about whether any unencrypted data is left behind.
Which devices are affected?
Spiniolas did not say, but we assume that the same bug exists in iPadOS. Since version 13, it has been released separately from iOS, but it always has a matching version number.
We don’t know how far this error is: As mentioned above, Spiniolas said “from iOS 14.7”, and we guess this is the earliest version he can test.
Apple does not allow downgrades of iPhone and iPad to prevent jailbreakers from reverting to known vulnerable iOS versions in order to deliberately reintroduce exploitable security vulnerabilities.
What caused the error?
According to Spiniolas’s description, if Apple’s Home application encounters a HomeKit device within its authority and has a very long name (for example, 90,000 characters or more), the error will be triggered.
This makes this error sound like an old-fashioned Buffer overflow, Where more data is saved to memory than originally allocated as the “worst case”, the best case is to cause the offending program to crash, and the worst case is to induce it to misbehave in a controlled way.
The former result-a complete breakdown-usually leads to Denial of service (DoS) vulnerabilities, attackers may deliberately crash the application again and again, causing inconvenience or complete trouble.
As a result of the latter, the attacker maintains sufficient control over the crash to completely take over the defective program and replace the running program with untrusted software of their own choice, known as Remote code execution (RCE).
RCE is usually used to implant spyware or malware and is obviously much more dangerous than DoS.
Currently, there is no indication that the Spiniolas crash can be reliably used for a full RCE exploit, or even cause RCE at all.
But the fact that cybercriminals now know where to start makes this mistake more worth avoiding.
How is the error triggered?
If you deliberately rename one of the home devices in the HomeKit network to have a name of approximately 100,000 characters or more (Spiniolas used 500,000 and 90,000 characters in his experiment), then the Home application will try Obviously, the device with the strange name will be locked when it is processed, and it will eventually crash.
According to Spiniolas, Apple recently patched the Home app to prevent you from renaming your device with an absurdly long name.
However, this patch obviously does not prevent the latest version of the application from having an adverse reaction to the device that has an overly long name, and it obviously does not prevent criminals from using the unpatched device to capture the installed application.
Spiniolas is not clear about this issue, but we deduced from his report that although unpatched versions of the Home app sometimes crash when trying to set a long HomeKit device name, they sometimes don’t crash, or Only after that the crash has been applied over-long name. Spiniolas also showed how to create a one-time iOS application that you can install locally on your device using your Apple developer account and rename your HomeKit device in an unsupervised way, regardless of whether your device is patched or not. Therefore, even if you cannot set a long HomeKit device name yourself, you should assume that an attacker can.
Control center problem
Unfortunately, Spinioloas said that if you enable the Home app in Apple control center (The always available menu system, you can call it up at any time by swiping from the top or bottom of the screen, depending on your iPhone version), and then whenever you turn on your phone, the app will automatically load in the background.
This means that your device may enter a permanent “lock-crash-try again-lock-crash-ad-infinite” loop, enter it when you have time set up Menu and remove Home from the control center.
Article 22!
You can regain control of the Control Center by accessing the “Settings” application; but you first need to regain control of the Control Center before you can access the “Settings” application.
This is why Spiniolas claims that the only way to get out of this situation is to perform Recover or DFU on an unresponsive device.
Since this will delete all your personal data, the Home app will no longer display any HomeKit device names until you log in to your iCloud account for the first time and your HomeKit details are re-downloaded to your phone.
This gives you the opportunity to access the “Settings” app and remove the “Home” app from the control center screen before any HomeKit device names that cause the crash appear on your phone.
As for renaming any problematic devices so that you can safely control them again, Spiniolas recommends that you need to use an Apple developer account and use the app for renaming.
what to do?
We believe that you are unlikely to accidentally trigger this error on your HomeKit network, because you are unlikely to mistakenly copy and paste the ridiculous device name into the Home app, and then deliberately click [Save] Submit the strange name to your HomeKit configuration.
Therefore, the way you are most likely to get out of trouble is:
- The person you have authorized to access your HomeKit network decides to trigger the error for you. If you wisely choose your trusted neighbors or family members (and you believe they will protect their phones from cybercriminals and pickpockets), then this risk should be very low.
- You accept a HomeKit network invitation from someone, and that person’s network will trigger the error. Assuming you view access to another person’s home automation network as a major personal responsibility (and indeed!), this risk should also be very low.
In other words, it is easy to alleviate this problem:
- Minimize the number of people who can access your HomeKit network. Anyway, we highly recommend this.
- Minimize the number of HomeKit networks to which you accept invitations yourself. Anyway, we highly recommend this.
- Remove the family app from the Apple Control Center. go with set up > control center > Custom control. if Family Appear in
INCLUDEList, click the red minus sign next to it, and then click the red[Remove]The button that appears on the right. (See below.) - Regularly back up iPhone data locally. You can use iTunes to do this on a Mac or Windows computer.On Linux, it’s easier: you can use
idevicebackup2The utility can make a full backup at any time. You don’t need an Apple account to save local copies of photos, videos, messages, audio files, etc. on a regular basis. If you save the data to an encrypted removable drive, you can store it offline and offsite, and in an emergency, you can access your iPhone data without a valid Apple login or Apple device.
left. Click on the “No Entry” sign center. Click “Delete” right. Gone!
Next step
Since we are not fans of home automation, we do not have an iCloud account or HomeKit network to practice.
Therefore, we cannot advise you whether there is a way to manage HomeKit devices from your browser or non-Apple devices, which will cleverly avoid the problematic Home application…
…So if you are a HomeKit user and have any suggestions for other readers, please let us know in the comments below!
