iOS Devices Can Freeze, Crash Due to a HomeKit Vulnerability

Security researcher Trevor Spiniolas said that Apple has been aware of the issue since August 10.

Advertisement
By Jagmeet Singh | Updated: 4 January 2022 14:42 IST
Highlights
  • iPhone and iPad users could be impacted due to HomeKit vulnerability
  • Users who don’t have a Home device can also be targeted
  • Apple users are advised to not accept any random HomeKit device invites
iOS Devices Can Freeze, Crash Due to a HomeKit Vulnerability

Apple has not yet confirmed a fix for the HomeKit vulnerability

Apple's iOS-based devices could go into a cycle of freezing and crashing and eventually become unusable due to a HomeKit vulnerability that has been exposed by a security researcher. The issue exists in all iOS versions, starting with iOS 14.7. iPhone users on the latest iOS version are also affected by the denial-of-service vulnerability, the researcher said. Apple is said to be aware of the issue and allegedly promise to address it before 2022. The flaw is, however, yet to be fixed.

Security researcher Trevor Spiniolas has detailed the scope of the HomeKit vulnerability that was initially reported to Apple on August 10 last year. The attacker can exploit the flaw and bring your iPhone or iPad in a cycle of freezing and crashing by connecting it with a HomeKit device that has an extensively lengthy name of around 500,000 characters, the researcher explained.

The iOS device is said to become unresponsive once it reads the device name. The attacker could also trigger the vulnerability by using an app to rename an existing HomeKit device. Alternatively, it could be exploited by sending an invite to a new HomeKit device that has a long name.

According to the researcher, Apple introduced a limit for the name an app or the user can set for a HomeKit device in iOS 15.1. This will help reduce the impact to some extent as the attacker couldn't impact users by triggering the vulnerability after renaming one of the connected HomeKit devices. But nonetheless, the issue can still impact users on the newer iOS versions if a HomeKit device with an extremely long name is connected via an invite.

Advertisement

The researcher also found that since Apple stores names of the connected HomeKit devices in iCloud, the issue persists even if a user restores an iOS device.

“If the device is restored but then signs back into the previously used iCloud, the Home app will once again become unusable,” the researcher said.

Advertisement

Spiniolas has created a video to give a brief look on the impact of the vulnerability even after restoring an iPhone.

Users can reject random invitations of HomeKit devices on their iPhone and iPad to avoid getting impacted by the vulnerability. Users who are already using smart home devices can also protect their hardware by disabling the setting Show Home Controls after going to the Control Centre.

Advertisement

In case you're already targeted by an attacker, the researcher advises that you can resolve the issue after restoring the affected device from Recovery or DFU Mode and set it up as normal without signing up into your iCloud account. Once signed up, you should sign into iCloud from settings and then disable the switch labelled Home immediately after signing in.

Spiniolas said that although it informed Apple about the bug in August, the company failed to bring a fix since the last deadline of January 1.

“I believe this bug is being handled inappropriately as it poses a serious risk to users and many months have passed without a comprehensive fix,” the researcher said.

In 2019, Apple credited Spiniolas for reporting a vulnerability in macOS Mojave. The researcher, however, accused the iPhone maker of giving insufficient response to the fresh vulnerability.

Gadgets 360 has reached out to Apple for a comment on the matter. This report will be updated when the company responds.


What are the best phones of 2021? We discuss this on Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.
Affiliate links may be automatically generated - see our ethics statement for details.
 

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Advertisement

Related Stories

Popular Mobile Brands
  1. Vivo X200 FE Global Launch Confirmed; Design Teased
  2. Vivo Y400 Pro 5G India Launch Date Confirmed; Design Revealed
  3. Poco F7 Launch Date, Price in India, Design and Key Features Leaked Online
  4. Oppo Reno 14 5G Series, Watch X2 Mini, Enco Buds 3, Pad SE to Launch Globally
  5. OnePlus Nord 5 Series, OnePlus Buds 4 to Launch in India on This Date
  6. Hisense U7Q Mini-LED TV Launched in India With These Features
  7. Realme Narzo 80 Lite 5G Launched in India With 6,000mAh Battery: See Price
  8. Oppo K13x 5G India Launch Date, Price Range and Key Features Revealed
  1. Bitget Partners UNICEF Unit to Expand Blockchain Training Across India, Other Countries 
  2. WhatsApp Reportedly Working on Ability to Scan Documents on Android Smartphones
  3. ElevenLabs Expands Eleven V3 Text-to-Speech Model With Support for 41 New Languages
  4. Vivo T4 Lite 5G India Launch Confirmed; Battery Capacity, Price Range Teased
  5. TikTok Pushes Deeper Into AI-Generated Video Ads With New Tools
  6. Apple Risks Fresh EU Charge Sheet Over App Store Curbs
  7. The Witcher 4 Will Target 60 FPS on Consoles, but Series S Will Be 'Extremely Challenging' Says CD Projekt Red
  8. Oppo Reno 14 5G Series Global Launch Teased Alongside Watch X2 Mini, Enco Buds 3 and Pad SE
  9. Microsoft Begins Testing AI Agents in Windows 11, Brings Option to Share Recall Snapshots in Europe
  10. watchOS 26 to Bring Control Center Customisation Options with User-Defined Toggles
Gadgets 360 is available in
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2025. All rights reserved.