A security researcher has exposed a vulnerability in Apple’s HomeKit platform that could lead to your iPhone (or anyone else with access to your Apple Home setup) becoming unusable. The bug was reported by security researcher Trevor Spiniolas, who detailed in a blog post that name of a HomeKit device being changed to something around 500,000 characters long is what causes the issues…
In the blog post, Spiniolas says that the bug was initially reported to Apple on August 10th, and remains in iOS 15.2. The company allegedly promised to resolve the issue in a security update prior to 2022, but it did not make good on this promise. Apple now says it will revisit the problem in “early 2022,” but Spiniolas is taking matters into his own hands to publicly disclose the information in the meantime.
Here is the synopsis of the bug, according to Spiniolas’ blog post:
When the name of a HomeKit device is changed to a large string (500,000 characters in testing), any device with an affected iOS version installed that loads the string will be disrupted, even after rebooting. Restoring a device and signing back into the iCloud account linked to the HomeKit device will again trigger the bug.
The security researcher notes that in iOS 15.1, Apple added a limit on the length of the name an app or the user can set for a Home accessory.
Using Apple’s HomeKit API, any iOS app with access to Home data may change the names of HomeKit devices. In iOS 15.1 (or possibly 15.0) a limit on the length of the name an app or the user can set was introduced. On iOS versions previous to these, an application can trigger the bug since this limit is not present. If the bug is triggered on a version of iOS without the limit and the device shares HomeKit data with a device on an iOS version with the limit, both will be still be affected.
Notably, the bug affects users even if they do not have any Home devices added. This would happen if someone were to accept “an invitation to a Home that contains a HomeKit device with a large string as its name.” This is true even on the latest release of iOS 15.2.
“If an attacker were to exploit this vulnerability, they would be much more likely to use Home invitations rather than an application anyways, since invitations would not require the user to actually own a HomeKit device,” Spiniolas continues.
So, what’s the outcome if you’re impacted by this? It basically boils down to whether or not you have Home devices enabled in Control Center. As Spiniolas notes, Home devices being enabled in Control Center is the default behavior when a user has access to Home devices.
Here’s what happens if the devices does not have Home devices enabled in Control Center:
The Home app will become completely unusable, crashing upon launch. Rebooting or updating the device does not resolve the problem. If the device is restored but then signs back into the previously used iCloud, the Home app will once again become unusable.
And if your devices does have Home devices enabled in Control Center:
iOS will become unresponsive. All input to the device is ignored or significantly delayed, and it will be unable to meaningfully communicate over USB. After around a minute, backboardd will be terminated by watchdog and reload, but the device will remain unresponsive. This cycle will repeat indefinitely with an occasional reboot. Rebooting, though, does not resolve the issue, nor does updating the device. Since USB communication will no longer function except from Recovery or DFU mode, at this point the user has effectively lost all local data as their device is unusable and cannot be backed up. Critically, if the user restores their device and signs back into the previously used iCloud linked to the data, the bug will once again be triggered with the exact same effects as before.
Here’s a video of this issue in action:
This HomeKit bug is significant for all of the reasons Spiniolas has outlined in his blog post. Perhaps even more worrisome, however, is that Apple has known about the issue since August, and not yet rolled out a complete fix. Apple’s bug reporting system has faced criticism over the years, and it’s clear that not all of the quirks have been resolved.
You can read the full blog post with more details on this vulnerability right here. Again, Apple has reportedly promised Spiniolas that it will patch this issue in “early 2022,” but no further details are available.
FTC: We use income earning auto affiliate links. More.
Check out 9to5Mac on YouTube for more Apple news: