Apple’s iOS is one such platform that provides ironclad security to the users. Apple regularly scans its platform for vulnerabilities and fixes them promptly if any are found. But now, a new report states that the company has failed to fix an iOS bug that leaves iPhones vulnerable to ransomware attacks. what’s more? Apple has reportedly been aware of the issue since August last year and yet it failed to fix the bug.
A persistent denial of service (DoS) vulnerability called ‘Door Lock’ has been discovered in Apple HomeKit, according to security researcher Trevor Spiniolas. This vulnerability is affecting iOS 15.2 through iOS 14.7. The researcher says he first reported the issue to Apple on August 10, 2021. At the time, the company told the researcher that the bug would be fixed in an update before 2022. But now, the company has reportedly revised its estimate. Beginning of 2022.
What is an iOS bug and what does it do?
Spiniolas details the vulnerability in his blog post, explaining that when an iPhone user renames a HomeKit device and signs back into the iCloud account used with that HomeKit device, one of two things can happen. Is. If the user hasn’t enabled any home devices in Control Center, the Home app will crash when launched. The researcher says that rebooting or updating the device does not reduce the problem. If the user signs back into the same iCloud account when the device is restored, the Home app renders the interface unusable again.
Alternatively, iOS will become unresponsive if the device has Home Devices enabled in Control Center. Spiniolas said in his blog that neither rebooting nor updating the device helped solve the problem. “Since USB communication will no longer work except in recovery or DFU mode, at this point the user has effectively lost all local data because their device is unusable and cannot be backed up,” he wrote in the post.
Simply put, as long as users are signing back into the same iCloud account associated with the data, the bug will be triggered with the same effect.
To make matters worse, the researcher says that attackers could benefit from this situation because they would be able to send invitations to users on a Home device containing malicious data, even if they didn’t have a connected HomeKit device. “An attacker could use email addresses like Apple services or HomeKit products to invite less tech-savvy users (or even those who are curious) to accept invitations and then send them through email in exchange for fixing the issue.” may demand payment from him,” he said. blog,
How can I protect myself?
Apple is working on fixing this problem. In the meantime, security researchers have suggested two tricks to keep your data safe. Users who are unable to install the trial app should try to restore the affected device from recovery or DFU mode and then set up the device as normal without signing in to an iCloud account. Once they set up the device, they should log in to the account and disable the home switch in iCloud settings. This will essentially prevent iCloud and connected home devices from functioning without access to home data.
Alternatively, users who are able to access the test app, have to press the Back button to reload the page and then press Control Center Settings, repeating this until they see the “Show Home Controls” setting. This should be done after they have set up the device and logged in to the iCloud account. Users should then disable the ‘Show home controls’ settings, after which they should install the test app and run it with a short string to rename all linked home devices.
The Apple iOS bug post that makes your iPhone vulnerable to ransomware attacks first appeared on BGR India.