iOS Devices Can Freeze, Crash Due to a HomeKit Vulnerability

Apple's iOS-based devices could go into a cycle of freezing and crashing and eventually become unusable due to a HomeKit vulnerability that has been exposed by a security researcher. The issue exists in all iOS versions, starting with iOS 14.7. iPhone users on the latest iOS version are also affected by the denial-of-service vulnerability, the researcher said. Apple is said to be aware of the issue and allegedly promise to address it before 2022. The flaw is, however, yet to be fixed.

Security researcher Trevor Spiniolas has detailed the scope of the HomeKit vulnerability that was initially reported to Apple on August 10 last year. The attacker can exploit the flaw and bring your iPhone or iPad in a cycle of freezing and crashing by connecting it with a HomeKit device that has an extensively lengthy name of around 500,000 characters, the researcher explained.

The iOS device is said to become unresponsive once it reads the device name. The attacker could also trigger the vulnerability by using an app to rename an existing HomeKit device. Alternatively, it could be exploited by sending an invite to a new HomeKit device that has a long name.

According to the researcher, Apple introduced a limit for the name an app or the user can set for a HomeKit device in iOS 15.1. This will help reduce the impact to some extent as the attacker couldn't impact users by triggering the vulnerability after renaming one of the connected HomeKit devices. But nonetheless, the issue can still impact users on the newer iOS versions if a HomeKit device with an extremely long name is connected via an invite.

The researcher also found that since Apple stores names of the connected HomeKit devices in iCloud, the issue persists even if a user restores an iOS device.

“If the device is restored but then signs back into the previously used iCloud, the Home app will once again become unusable,” the researcher said.

Spiniolas has created a video to give a brief look on the impact of the vulnerability even after restoring an iPhone.

Users can reject random invitations of HomeKit devices on their iPhone and iPad to avoid getting impacted by the vulnerability. Users who are already using smart home devices can also protect their hardware by disabling the setting Show Home Controls after going to the Control Centre.

In case you're already targeted by an attacker, the researcher advises that you can resolve the issue after restoring the affected device from Recovery or DFU Mode and set it up as normal without signing up into your iCloud account. Once signed up, you should sign into iCloud from settings and then disable the switch labelled Home immediately after signing in.

Spiniolas said that although it informed Apple about the bug in August, the company failed to bring a fix since the last deadline of January 1.

“I believe this bug is being handled inappropriately as it poses a serious risk to users and many months have passed without a comprehensive fix,” the researcher said.

In 2019, Apple credited Spiniolas for reporting a vulnerability in macOS Mojave. The researcher, however, accused the iPhone maker of giving insufficient response to the fresh vulnerability.

Gadgets 360 has reached out to Apple for a comment on the matter. This report will be updated when the company responds.