Apple Fixes ‘doorLock’ Homekit Bug for iPhones and iPads in Latest iOS Update

Colin Thierry
Colin Thierry Writer
Colin Thierry Colin Thierry Writer

Apple rolled out iOS 15.2.1 on Thursday for iPhones and iPads, addressing a security vulnerability in the Homekit framework. This “doorLock” flaw could be exploited to trigger a denial of service and lock users out of their devices.

In the release notes for the update, it said iOS 15.2.1 is a bug-fix release, addressing an issue with messages not loading photos sent using a cloud link and a problem with third-party CarPlay apps not responding to input.

The most significant bug fix in iOS 15.2.1, however, is described in Thursday’s security advisory displayed at the end of the changelog.

Named CVE-2022-22588, a resource exhaustion issue in the HomeKit framework is being addressed just now, 4 months after Apple was first informed of the flaw.

HomeKit allows users to configure and control smart-home appliances while using Apple devices.

The flaw impacts most iOS devices in circulation and exploitation of it could simply entail sending a malicious invite to the victim. A successful attack would freeze the iPhone and trigger a reboot loop, basically locking users out of their devices.

Trevor Spiniolas, the researcher who first discovered and reported the bug, expressed dissatisfaction with Apple’s “insufficient” and sluggish response to his bug report. He also stressed that his ‘doorLock’ exploit could be considered a ransomware attack vector for iPhones.

“I believe this issue makes ransomware viable for iOS, which is incredibly significant,” he wrote in a blog post. “Applications with access to the Home data of HomeKit device owners may lock them out of their local data and prevent them from logging back into their iCloud on iOS, depending on the iOS version. An attacker could also send invitations to a Home containing the malicious data to users on any of the described iOS versions.”

“An attacker could use email addresses resembling Apple services or HomeKit products to trick less tech-savvy users (or even those who are curious) into accepting the invitation and then demand payment via email in return for fixing the issue.”

iOS 15.2.1 is currently available for iPhone 6s and later, all iPad Pro models, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and the iPod touch (7th generation).

About the Author

About the Author

Colin Thierry is a former cybersecurity researcher and journalist for SafetyDetectives who has written a wide variety of content for the web over the past 2 years. In his free time, he enjoys spending time outdoors, traveling, watching sports, and playing video games.