A security researcher has publicly disclosed a bug present in iOS 15.2 (and going back to iOS 14.7 and possibly earlier) relating to HomeKit that could be used to permanently crash an iPhone.
Trevor Spiniolas found that by changing the name of a HomeKit device to a large string (Spiniolas used 500,000 characters for the testing), this would crash the associated iPhone.
To make matters worse, because the device name would be backed up to the user’s iCloud account, restoring a iPhone and signing back into the iCloud account linked to the HomeKit device would once again trigger the bug.
According to Spiniolas, “[t]his bug poses a significant risk to the data of iOS users, but the public can protect themselves from the worst of its effects by disabling Home devices in control center in order to protect local data.”
Spiniolas decided to make this bug public after initially reporting the bug to Apple on August 10, and Apple promising a fix “before 2022.” December 10, Apple then informed Spiniolas that the fix would come “early 2022,” which is when he decided to make the bug public on January 1, 2022.
“The public should be aware of this vulnerability and how to prevent it from being exploited,” writes Spiniolas, “rather than being kept in the dark.”
Think you might be affected by this bug? Spiniolas has outlined the process to get the iPhone working again.
- Restore the affected device from Recovery or DFU Mode
- Setup the device as normal, but do NOT sign back into the iCloud account
- After setup is finished, sign into iCloud from settings. Immediately after doing so, disable the switch labeled “Home.” The device and iCloud should now function again without access to Home data.