Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Bug IOS Apple

An Apple HomeKit Bug Can Send iOS Devices Into a Death Spiral (theverge.com) 22

Security researcher Trevor Spiniolas has discovered a vulnerability "capable of locking iOS devices into a spiral of freezing, crashing, and rebooting if a user connects to a sabotaged Apple Home device," reports The Verge. From the report: The vulnerability [...] can be exploited through Apple's HomeKit API, the software interface that allows an iOS app to control compatible smart home devices. If an attacker creates a HomeKit device with an extremely long name -- around 500,000 characters -- then an iOS device that connects to it will become unresponsive once it reads the device name and enter a cycle of freezing and rebooting that can only be ended by wiping and restoring the iOS device. What's more, since HomeKit device names are backed up to iCloud, signing in to the same iCloud account with a restored device will trigger the crash again, with the cycle continuing until the device owner switches off the option to sync Home devices from iCloud.

Though it's possible that an attacker could compromise a user's existing HomeKit-enabled device, the most likely way the exploit would be triggered is if the attacker created a spoof Home network and tricked a user into joining via a phishing email. To guard against the attack, the main precaution for iOS users is to instantly reject any invitations to join an unfamiliar Home network. Additionally, iOS users who currently use smart home devices can protect themselves by entering the Control Center and disabling the setting "Show Home Controls." (This won't prevent Home devices from being used but limits which information is accessible through the Control Center.)

This discussion has been archived. No new comments can be posted.

An Apple HomeKit Bug Can Send iOS Devices Into a Death Spiral

Comments Filter:
  • it's 2022 and developers sting cant escape and bounds check inputs ?

    honestly I like apple homekit but name lengths is pretty basic Quality Assurance test....

    • by tlhIngan ( 30335 ) <slashdot&worf,net> on Tuesday January 04, 2022 @05:39AM (#62141035)

      Less bounds checks, and more like enforcing reasonable limits.

      500K characters is probably handled just fine by the code - no buffer overflows or anything. It just results in a crash because you're probably making copies of the string and consuming gobs of memory. 500K is half a megabyte, and probably stored as Unicode, so that could easily be a couple of megabytes. Do it a few times and you'll explode the stack and heap with extremely large objects.

      The device crashes because the application exhausts the RAM of the device. I mean, if it was a bounds problem, it would be an instant crash. Instead, it's probably stored as an unbounded safe string object that can handle basically unlimited sized strings. Problem is, the code is written to assume the strings will stay small and you're now dealing with tens to hundreds of copies of the strings and RAM runs out, the app crashes, and likely also takes down some other service in the OS.

      So it just goes to show, even if you use "safe" string objects, you can still have bad things happen, because even though you can handle an unlimited size string safely on input, you might not have the RAM available to handle multiple copies of it.

      The only mistake is Apple didn't impose some sort of limit to how long the string can be, which can be tricky with Unicode strings. And likely it happens because Apple used safe string constructs that ensured there was enough buffer space to hold even ridiculous amounts of data without overflow. So no security problems here because you can't overflow the buffer. However, the stability of the application was compromised because the strings multiplied in memory until the application ran out of memory. Since it's a 64-bit OS, the physical memory would run out long before the heap and stack limits would be reached.

      Everything else just happens because a system application got taken down.

      • by DamnOregonian ( 963763 ) on Tuesday January 04, 2022 @06:06AM (#62141083)

        Do it a few times and you'll explode the stack and heap with extremely large objects.

        Na. One doesn't dynamically allocate onto the stack, and these are devices with multiple gigabytes of RAM, so heap exhaustion is going to take more than a few hundred copies of a 0.5MB string (UTF-8 or otherwise)

        if it was a bounds problem, it would be an instant crash

        Incorrect.
        A failure to check bounds merely results in you writing past the variable in the stack. This can mean you can potentially overwrite other stack variables, overrun your stack frame (harmless), or completely fill the stack (segmentation fault)

        Insta-crashing on overwriting a buffer in stack or heap would have saved me about a trillion hours of my life in debugging.

        So it just goes to show, even if you use "safe" string objects, you can still have bad things happen, because even though you can handle an unlimited size string safely on input, you might not have the RAM available to handle multiple copies of it.

        Memory exhaustion is definitely a real attack vector.

        with Unicode strings.

        You mean UTF-8. Unicode can be represented in a wide char format (16-bit) where string length is merely bytes >> 1.

        So no security problems here because you can't overflow the buffer.

        The only people who think automatic bounds checking implies safety are likely writing code at such a high level that they can skate by with no knowledge what-so-fucking ever about the architecture of an actual CPU.

        Since it's a 64-bit OS, the physical memory would run out long before the heap and stack limits would be reached.

        Nope. Stack is limited to 1MB for the main thread on iOS, and 512KB per additional thread.
        Heap is limited to 2GB per process.

        • by _merlin ( 160982 )

          Unicode can be represented in a wide char format (16-bit) where string length is merely bytes >> 1.

          Oh you poor, nave thing. Let me introduce you you to surrogate pairs [datacadamia.com]. You need to go bigger than 16-bit if you want the number of bytes to be a simple multiple of the number of codepoints. But even when you get past that, there are combining characters, modifier characters, and other horrors.

          • Ya, that's fair. I'm still living in the UCS-2 days. The last time I needed to worry about the byte-encoding of unicode, it was still fixed-width. The Internet was an easier place before we needed to start supporting Chinese character sets. I stand corrected.
            • by _merlin ( 160982 )

              Chinese isn't bad. Chinese is pretty much always one character per codepoint, characters correspond to a single glyph (not context-sensitive), most characters are the same width, and the line break rules are very simple. Even Latin scripts are more complex when you need to deal with combining accents, joining punctuation, language-sensitive hyphenation rules, context-sensitive forms (e.g. ligatures), kerning, and more. The real killers are Indian languages, Thai, Arabic, and other scripts where everythin

  • Software creation seems to be riddled with incompetents. A truly pathetic state of affairs.

  • by k2r ( 255754 ) on Tuesday January 04, 2022 @10:27AM (#62141767)

    I have registered my "smart-devices" to my Apple-Home installation, which in turn is registered to my AppeID. That means I can control my lights (*1) etc. from each Apple devices menu bar (actually: Control Center) or I can use Siri to control them, whether at home or remotely (*2).
    I can invite other peoples AppleID to control (aspects of) my Apple-Home installation, so guests or the cleaner can switch the lights / blinders. They then get an email with an invitation-link they can accept and my Apple-Home is added to their set of places they can control.

    It seems that one can setup an Apple-Home with a maliciously named device and then ask people to join that Apple-Home. They would have to accept the invitation, though, but I can see some people failing for this.

    (1) in my case the brain of it all is "homeassistant" on Linux exporting some components to Apple-Home.
    (2) It's quite an ingenuous architecture: The router responsible to control devices is automatically elected from all Apple-Devices registered to the AppleID and can be reassigned dynamically. So if any one Apple device is at home and in reach of the "smart" devices, they can be controlled. Of course, if you have an AppleTV or HomePod, that will usually be the router, but it could be an iPad, too. The database is distributed to all devices using Apple's CloudKit and Communication is done E2E encrypted by (basically) iMessage. Very special but very nice system, it really "just works" in most cases.

    • I forgot to mention: I didn't find a use-case for sharing access, yet. Guests or the cleaner usually don't need to operate the more eclectic aspects of my house and the rest is either automated or has switches that at least look normal.
      But I think it's good that it's there.

    • I already explain that on my site Poker 2022 Resmi [2022poker.net] Please visit :)
  • got it over https://xiltis.com/ [xiltis.com]
  • Ada banyak sekali Agen Situs Slot Online [128.199.196.0] judi slot online yang bisa dipilih. Memilih yang terbaik untuk Anda akan tergantung pada apa yang Anda cari. Sebagian unsur yang perlu dipertimbangkan saat memilih Agen judi slot online termasuk lisensi casino, kebijakan privasi, dan syarat dan ketentuan. Memiliki lebih banyak isu membuat Anda merasa lebih nyaman. Tercantum di bawah ini yakni sebagian kiat yang bisa menolong Anda memilih alternatif terbaik untuk Anda. Semoga tips ini akan membantu Anda membuat keputu

You know you've landed gear-up when it takes full power to taxi.

Working...