Apple iOS vulnerable to HomeKit doorLock bug


A new persistent denial of service vulnerability named ‘doorLock’ was discovered in Apple HomeKit, affecting iOS 14.7 through 15.2.

Apple HomeKit is a software framework that lets iPhone and iPad users control smart home appliances from their devices.

The security researcher Trevor Spiniolas publicly disclosed the details and according to him Apple has known about the flaw since August 10, 2021. However, despite the repeated promises to fix it, Apple has pushed the security update further, and it remains unresolved.

In order to trigger ‘doorLock,’ an attacker would change the name of a HomeKit device to a string larger than 500,000 characters.

Spinolas has released a proof-of-concept exploit in the form of an iOS app that has access to Home data and can change HomeKit device names.

Even if the target user doesn’t have any Home devices added on HomeKit, there is still an attack pathway by forging and accepting an invitation to add one.

While trying to load the large string, a device running a vulnerable iOS version will be pushed into a denial of service (DoS) state, and has to be reset to get out of it. However, while resetting the device all stored data will be removed and can be recovered only if you have a backup.

When the device reboots and the user signs back into the iCloud account linked to the HomeKit device, the bug will still be re-triggered.

The researcher states that this attack could be used as a ransomware vector, locking iOS devices into an unusable state and demanding a ransom payment to set the HomeKit device back to a safe string length.

It is possible that the bug can only be exploited by someone who has access to your ‘Home’ or via manually accepting an invitation to one.

It is possible to avoid the exploitation of this issue by disabling Home devices in Control Center. The users must beware of suspicious invitation messages from email addresses that resemble Apple services or HomeKit products.

In order to regain normal access to the iCloud account linked to the data, perform the following steps:

  • Restore the affected device from Recovery or DFU Mode
  • Set up the device as usual, but do NOT sign back into the iCloud account
  • After setup is finished, sign in to iCloud from settings. Immediately after doing so, disable the switch labeled “Home.” The device and iCloud should now function again without access to Home data.

The researcher states that Apple’s latest estimate for fixing the bug is for “early 2022,” which will be done through an upcoming security update.


Please enter your comment!
Please enter your name here