A bug found in Apple’s HomeKit could cripple your iPhone, along with that of anyone else with access to your Apple Home setup. Security researcher Trevor Spiniolas reported the vulnerability to Apple months ago, but the trouble remains in iOS 15.2.
A HomeKit Device Name That’s Just Too Long
Spiniolas discovered that changing a HomeKit device name to a very large string, it breaks the iPhone. In testing, the researcher used a 500,000-character-long string,. Of course. it’s entirely possible that a shorter device name could also trigger the bug.
In iOS 15.1, Apple added a limit to the name an app or user can set for a Home accessory. However, any devices running earlier versions of iOS could still trigger the HomeKit bug. Spiniolas’s recent blog post outlines the risk.
Using Apple’s HomeKit API, any iOS app with access to Home data may change the names of HomeKit devices. In iOS 15.1 (or possibly 15.0) a limit on the length of the name an app or the user can set was introduced. On iOS versions previous to these, an application can trigger the bug since this limit is not present. If the bug is triggered on a version of iOS without the limit and the device shares HomeKit data with a device on an iOS version with the limit, both will be still be affected.
Rebooting the iPhone doesn’t fix the problem. Restoring the device doesn’t, either, if you log back into the iCloud account linked to the HomeKit device.
Apple Knows About, But Hasn’t Yet Fixed, the HomeKit Bug
Spiniolas reported this bug on Aug. 10, 2021, and Apple informed the researcher it would patch the vulnerability before 2022. On Dec. 8, Apple revised its estimate for a fix to “early 2022.” At that point, Spiniolas informed the Cupertino-based company he would disclose the information publicly on Jan. 1, 2022.
I believe this bug is being handled inappropriately as it poses a serious risk to users and many months have passed without a comprehensive fix. The public should be aware of this vulnerability and how to prevent it from being exploited, rather than being kept in the dark.
The bug seems to affect iOS devices whether they have Home devices enabled in Control Center or not. Recovering from such an incident requires restoring the iOS device from Recovery or DFU mode and waiting to sign into iCloud until after finishing setup. Then, affected users should sign into iCloud but immediately disable the Home switch in Control Center.
Clearly, this HomeKit bug is an issue Cupertino really should resolve quickly. As Spiniolas points out, it does represent a very viable ransomware attack vector for the iPhone. Apple’s hesitance in patching this exploit is disturbing, to say the least.