Apple’s HomeKit can be abused to reboot iPhones endlessly
Apple’s HomeKit allows users to control and automate their compatible smart home appliances, and thanks to iCloud sync, changes made on one Apple device are automatically reflected on the rest. However, a newly discovered HomeKit vulnerability can cause iPhones to reboot endlessly. This issue affects a wide range of iOS versions, including the latest stable release — iOS 15.2. If you’re running an older version of iOS, malicious third-party apps can trigger this bug as well. And depending on your iPhone’s preferences, you will either be locked out of the Home app or your iPhone will crash completely and reboot in an endless manner.
This vulnerability — which was discovered by researcher Trevor Spiniolas (via The Verge) — can be triggered by creating a HomeKit device with a very long name. If an unsuspecting user accepts an invitation link to a HomeKit device with a name that is over 500,000 characters long, iOS will crash and reboot indefinitely. Additionally, third-party apps have the permission to change HomeKit device names pre-iOS 15. So a developer could potentially exploit the vulnerability remotely — without user intervention — on earlier versions of iOS.
There are a few steps you can take to prevent the exploitation of this vulnerability on your iPhone. For starters, you could disable iCloud sync for the Home app. This way, HomeKit data remains local, and factory resetting your iPhone won’t load the compromised, long name from iCloud. Another precautionary step you can take is removing Home Controls from the Control Center. This causes the bug to only crash the Home app instead of the entire OS if it is exploited on your device.
It’s worth noting, though, that the best way to protect yourself is to ignore invitation links sent from people you don’t know or trust. Additionally, if you’re still on iOS 14, upgrading to the latest build of iOS 15 will prevent apps from changing a HomeKit device’s name to a long one, though the underlying bug still exists. Apple initially informed Trevor that it would patch this bug before 2022. The estimated date was then changed to early 2022. It’s unclear when the company will fix it, but at least the company is well aware of its existence.
Has this vulnerability been exploited on your devices? Let us know in the comments section below.