Security researcher blames Apple for not fixing a bug that can be used as ransomware on an iPhone

Posted on |

Security researcher blames Apple for not fixing a bug that can be used as ransomware on an iPhone

It hasn’t been mentioned in the media, but a bug initially reported to Apple last August 10th is still there in iOS 15.2. The bug has been tested on iPhone units running iOS 14.7 through the most recent iOS release. Security researcher Trevor Spiniolas, who reported the bug to Apple, says that it is likely that phones running all builds of iOS 14 would have it although his testing started with iOS 14.7.

Apple iPhone users can be blackmailed by attackers

Spiniolas’ blog post, called doorLock, explains that when an iPhone user (running the specific versions of iOS previously cited) changes the name of a HomeKit device to one with 500,000 or more characters, and signs back into the iCloud account used with that HomeKit device, two things could occur.

Without any Home devices enabled in the Control Center, the Home app will crash as soon as it is opened making it impossible to use. Rebooting or restoring the phone won’t help because once signed in to the same iCloud account, the Home app will continue with the same behavior. Now if the user does have a Home device enabled in the Control Center, iOS becomes unresponsive and will loop with an “occasional reboot.”

And to make matters worse, bad actors can take advantage of this situation. Spiniolas writes “Applications with access to the Home data of HomeKit device owners may lock them out of their local data and prevent them from logging back into their iCloud on iOS, depending on the iOS version. An attacker could also send email invitations to a Home containing the malicious data to users on any of the described iOS versions…”

And this can be exploited for financial reasons. The attacker could send an email from an address similar to Apple services or an HomeKit product in an attempt to get an iPhone user to accept the invitation and ask for a payment to rectify the issue. This could take place even if the iPhone user doesn’t own a HomeKit product.

As we noted at the top of this article, Apple has already been informed about this bug, and the researcher blasts Apple for its “lack of transparency” that “poses a risk to the millions of people who use Apple products in their day-to-day lives by reducing Apple’s accountability on security matters.” He says that Apple was supposed to fix this bug before the end of last year, but instead, it will issue a patch early this year.

Apple is expected to issue an update early this year

Spiniolas says that “A reliable method of regaining access to local data after the bug has been triggered has not been identified.” However, restoring the iPhone and signing into a new iCloud is possible if one were to follow these directions posted by the security researcher:

  • Restore the affected iPhone from Recovery or DFU Mode.
  • Setup the device as you would normally do, but refrain from signing back into the iCloud account.
  • After setup is finished, go ahead and sign in to iCloud from settings. As soon as you do this, disable the switch labeled “Home.”

The affected handset and iCloud should now work without access to Home data. If you need to have access to Home data and are able to install the testing application with Xcode, follow the three steps posted above and add the following:

  • Press the back button and then press Control Center settings again which will reload the page reload the page.
  • Keep doing this until a setting labeled “Show Home Controls” is visible. Disable the setting immediately.
  • Install the test application and run it using a short string that will change the name of all associated Home devices.

Spiniolas throws in his two cents by stating that “This bug poses a significant risk to the data of iOS users, but the public can protect themselves from the worst of its effects by disabling Home devices in control center in order to protect local data. In regards to Apple’s awareness of the issue, I found their response to be insufficient. Despite them confirming the security issue and me urging them many times over the past four months to take the matter seriously, little was done.”

Leave a Reply

Your email address will not be published. Required fields are marked *