The HomeKit Bug That Can Cripple Your iPhone

The HomeKit Bug That Can Cripple Your iPhone

A bug found in Apple’s HomeKit could cripple your iPhone, along with that of anyone else with access to your Apple Home setup. Security researcher Trevor Spiniolas reported the vulnerability to Apple months ago, but the trouble remains in iOS 15.2.

A HomeKit Device Name That’s Just Too Long

Spiniolas discovered that changing a HomeKit device  name to a very large string, it breaks the iPhone. In testing, the researcher used a 500,000-character-long string,. Of course. it’s entirely possible that a shorter device name could also trigger the bug.

https://youtu.be/_BmI5Otsm9I

In iOS 15.1, Apple added a limit to the name an app or user can set for a Home accessory. However, any devices running earlier versions of iOS could still trigger the HomeKit bug. Spiniolas’s recent blog post outlines the risk.

Using Apple’s HomeKit API, any iOS app with access to Home data may change the names of HomeKit devices. In iOS 15.1 (or possibly 15.0) a limit on the length of the name an app or the user can set was introduced. On iOS versions previous to these, an application can trigger the bug since this limit is not present. If the bug is triggered on a version of iOS without the limit and the device shares HomeKit data with a device on an iOS version with the limit, both will be still be affected.

Rebooting the iPhone doesn’t fix the problem. Restoring the device doesn’t, either, if you log back into the iCloud account linked to the HomeKit device.

Apple Knows About, But Hasn’t Yet Fixed, the HomeKit Bug

Spiniolas reported this bug on Aug. 10, 2021, and Apple informed the researcher it would patch the vulnerability before 2022. On Dec. 8, Apple revised its estimate for a fix to “early 2022.” At that point, Spiniolas informed the Cupertino-based company he would disclose the information publicly on Jan. 1, 2022.

I believe this bug is being handled inappropriately as it poses a serious risk to users and many months have passed without a comprehensive fix. The public should be aware of this vulnerability and how to prevent it from being exploited, rather than being kept in the dark.

The bug seems to affect iOS devices whether they have Home devices enabled in Control Center or not. Recovering from such an incident requires restoring the iOS device from Recovery or DFU mode and waiting to sign into iCloud until after finishing setup. Then, affected users should sign into iCloud but immediately disable the Home switch in Control Center.

Clearly, this HomeKit bug is an issue Cupertino really should resolve quickly. As Spiniolas points out, it does represent a very viable ransomware attack vector for the iPhone. Apple’s hesitance in patching this exploit is disturbing, to say the least.

6 thoughts on “The HomeKit Bug That Can Cripple Your iPhone

  • Thankfully this bug has not hit my iPhones. But I can’t help wondering whether it has affected my Mac mini running Catalina. Since three days ago my Mac, upon waking, went through the boot and loading processes, comes to the end, pauses for––who knows how long––half an hour or more without loading the GUI. Then it crashes only to repeat the process over and over and over…. I went through the whole gamut of troubleshooting steps and options, even reinstalling the System software via the recovery option, and the same thing happens again and again and again.

    1. There haven’t been any indications of the bug affecting macOS, and if so, it would have also affected your iPhone. Must be something else going on with the Mac.

      By the way, the iOS HomeKit bug has been patched as of the latest 15.2 update.

  • “ In testing, the researcher used a 500,000-character-long string. Of course. it’s entirely possible that a shorter device name could also trigger the bug.”

    500,000 characters? Who would do that? Yeah fix it, but first fix “Updating” devices

    1. It actually wouldn’t be too difficult to write a script that generates such a string. As for “who would do it,” I can think of a number of groups who might craft ransomware using this as a threat vector.

      1. Fairly easy, as far as what’s required to trigger this vulnerability. All the sucker has to do is send an invite to a HomeKit home.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.