A security researcher has uncovered a vulnerability in Apple's HomeKit platform that could render your iPhone (or anyone else with access to your Apple Home installation) useless. The bug was reported by security researcher Trevor Spiniolas, who described in a blog post that the name of a HomeKit device being changed to something like 500,000 characters is the cause of the issues... In the blog post, Spiniolas says the bug was initially reported to Apple on August 10 and remains in iOS 15.2. The company is said to have promised to fix the issue in a security update before 2022, but it hasn't delivered on this promise. Apple now says it will revisit the issue in "early 2022," but Spiniolas is taking matters into its own hands to make the information public in the meantime. Here's the summary of the bug, according to Spiniolas' blog post: When a HomeKit device is renamed to a large string (500,000 characters during testing), any device that has an affected iOS version installed that contains the string will loads will be interrupted even after reboot. Restoring a device and logging back into the iCloud account associated with the HomeKit device will re-trigger the bug. The security researcher notes that in iOS 15.1, Apple added a limit to the length of the name an app or user can set for a Home accessory. Using Apple's HomeKit API, any iOS app with access to Home data can rename HomeKit devices. iOS 15.1 (or possibly 15.0) introduced a limit on the length of the name that an app or the user can set. On earlier iOS versions, an application can trigger the bug as this limit is not present. If the bug is triggered on an iOS version without the limit and the device shares HomeKit data with a device on an iOS version with the limit, both will still be affected. The bug mainly affects users even if they have not added Home devices. This would happen if someone accepted "an invitation to a home with a HomeKit device named with a large string". This is true even for the latest version of iOS 15.2. "If an attacker were to exploit this vulnerability, they would be more likely to use Home invites than an application anyway, since invites don't actually require the user to own a HomeKit device," Spiniolas continues. The outcome So, what is the outcome if you are affected by this? It basically comes down to whether or not you've enabled Home devices in the Control Center. As Spiniolas points out, enabling Home devices in the Control Center is the default behavior when a user accesses Home devices. Here's what happens if the devices don't have Home devices enabled in the Control Center: The Home app becomes completely unusable and crashes on startup. Restarting or updating the device does not resolve the issue. If the device is restored but then logs back into the previously used iCloud, the Home app will become unusable again. And if your devices have Home devices enabled in the Control Center: iOS has stopped responding. All input to the device is ignored or significantly delayed, and it cannot communicate meaningfully via USB. After about a minute, watchdog terminates backboardd and reloads, but the device continues to be unresponsive. This cycle repeats indefinitely with occasional reboots. However, restarting does not solve the problem, and neither does updating the device. Since USB communication no longer works except from recovery or DFU mode, at this point the user has effectively lost all local data because his device is unusable and cannot be backed up. Crucially, if the user restores their device and logs back into the previously used iCloud associated with the data, the bug will be re-triggered with the exact same effects as before. Here's a video of this issue in action: Homekit.Blog's Take This HomeKit bug is important for all the reasons Spiniolas laid out in his blog post. Perhaps even more worrying, though, is that Apple has been aware of the issue since August and hasn't rolled out a full fix yet. Apple's bug reporting system has come under criticism over the years, and it's clear that not all quirks have been fixed. You can read the full blog post detailing this vulnerability here. Again, Apple has reportedly promised Spiniolas that it will patch this issue "early 2022", but no further details are available. FTC: We use auto affiliate links that generate revenue. Lake. Check out Homekit.Blog on YouTube for more Apple news:
HomeKit.Blog is in no way affiliated with or endorsed by Apple Inc. or Apple related subsidiaries.
All images, videos and logos are the copyright of the respective rights holders, and this website does not claim ownership or copyright of the aforementioned.
All information about products mentioned on this site has been collected in good faith. However, the information relating to them, may not be 100% accurate, as we only rely on the information we are able to gather from the companies themselves or the resellers who stock these products, and therefore cannot be held responsible for any inaccuracies arising from the aforementioned sources, or any subsequent changes that are made that we have not been made aware of.
HomeKit.Blog Is A Participant In The Amazon Services LLC Associates Program, An Affiliate Advertising Program Designed To Provide A Means For Sites To Earn Advertising Fees By Advertising And Linking To Amazon Store (Amazon.com, Or Endless.com, MYHABIT.com, SmallParts.com, Or AmazonWireless.com).
The opinions expressed on this website by our contributors do not necessarily represent the views of the website owners.