When Apple releases new updates for its operating systems, we often focus on the new features and functionality. As exciting as they can be, they often overshadow the vital bug fixes that Apple deploys alongside them. For example, in iOS 15.2 and iPadOS 15.2, Apple addressed dozens of security issues, many of which put users’ personal data at risk. But according to security researcher Trevor Spiniolas, Apple missed one dangerous HomeKit bug that it has known about for months.
Apple still hasn’t fixed this HomeKit bug
As Spiniolas explains on his website, attackers can use the HomeKit API to make an iOS device become unresponsive. Any iOS app with access to Home data can change the name of a HomeKit device using Apple’s HomeKit API. If an attacker creates an especially long name for the device in question, it can send iOS devices into a loop of freezing, crashing, and rebooting.
Spiniolas says that if a user changes the name of a HomeKit device, “the new name is stored in iCloud and is updated across all other iOS devices signed into the same account if Home Data is enabled.” He also notes that iOS updates this data without requiring any user interaction. When an iOS device loads the new data, there are two possible outcomes, depending on the device.
If a device doesn’t have Home devices enabled in Control Center, the Home app will stop working. The app will immediately crash if the user tries to launch it. Reboots and updates don’t help. Even if a user restores their device, the Home app will break again once they sign back into iCloud.
On the other hand, if Home devices are enabled in Control Center, iOS will become unresponsive. You won’t be able to interact with your device at all. And even if you can interact, all inputs will be delayed. Eventually, your iPhone or iPad will reboot itself, but the cycle will repeat indefinitely.
Once again, manually resetting or updating the device won’t stop the boot loop. USB communication doesn’t work either. The user can only restore the device from Recovery or DFU mode. As a result, any local data stored on the device will be lost.
You can see the Apple HomeKit bug in action in the video from Spiniolas below:
What you can do about this dangerous bug
Spiniolas first reported this bug to Apple on August 10th. Apple did introduce a limit on the length of HomeKit device names in iOS 15 or iOS 15.1, but the attackers can still trigger the bug on devices with earlier versions of iOS. Also, if the bug triggers on a device without the character limit, that device can still share HomeKit data with devices on newer versions of iOS. Thus, the bug still affects both devices. Even if a user hasn’t added any Home devices, they can still have their phones and tablets affected by accepting an invite to a Home containing an affected HomeKit device.
Spiniolas was able to replicate the bug on iOS 14.7 all the way through iOS 15.2. He claims that the bug likely affects every version of iOS 14 as well.
The easiest way to avoid the bug is to decline any invitations to join an unknown Home network. Also, if you don’t use HomeKit devices, it might be best to disable “Show Home Controls” in Control Center until Apple actually addresses this problem. In the meantime, you’re at risk.
“Apple’s lack of transparency is not only frustrating to security researchers who often work for free,” Spiniolas writes, “it poses a risk to the millions of people who use Apple products in their day-to-day lives by reducing Apple’s accountability on security matters.”
