Apple HomeKit

Apple HomeKit exploit can make your iPhone unusable

Apple's HomeKit can be exploited to force iOS devices into endless reboot cycles.

A bug in iOS 15.1 is capable of rendering an iPhone completely unusable, a new study by security researcher Trevor Spiniolas has revealed. 

According to the researcher, the vulnerability exists in all iOS versions, starting with iOS 14.7. According to the report, iPhone users on iOS 15 are also affected by this denial-of-service vulnerability.

Apple is said to be aware of the issue and had reportedly promised users a fix before 2022.

“When the name of a HomeKit device is changed to a large string (500,000 characters in testing),” Spiniolas says in a report on the flaw, “any device with an affected iOS version installed that loads the string will be disrupted, even after rebooting. Restoring a device and signing back into the iCloud account linked to the HomeKit device will again trigger the bug.”

In essence: A lamp with a name that’s over half a million characters long can render an iPhone or iPad all but useless by forcing it to constantly reboot itself. Spiniolas says that factory-resetting the device can stop the reboots from occurring, but signing in to the device’s associated iCloud account will trigger it all over again.

The good news is that these endless reboots only affect iOS devices configured to offer quick access to HomeKit products via Control Center. The bad news is that this is the default behavior; iOS users will have to change their settings to defend against this vulnerability. They’ll still have to deal with the Home app crashing all the time, but at least their iPhone and iPad will work.

It might seem like there’s an obvious way to mitigate this flaw: Don’t give a HomeKit device a 500,000-character-long name (who would!). But Spiniolas says that attackers could “send invitations to a Home containing the malicious data to users on any of the described iOS versions” to use the exploit as a persistent denial-of-service attack.

Apps with access to Home data can also change the names of devices, Spiniolas says, so the issue isn’t entirely within the user’s control.

Spiniolas says doorLock was disclosed to Apple on Aug. 10, 2021. The company reportedly said it would issue a fix sometime before the new year, but on Dec. 8, that estimate was apparently revised to “early 2022.”

Spiniolas decided to publicly disclose the vulnerability on Jan. 1 because “it poses a serious risk to users and many months have passed without a comprehensive fix.”

Spiniolas says of the company’s handling of doorLock:

In regards to Apple’s awareness of the issue, I found their response to be insufficient. Despite them confirming the security issue and me urging them many times over the past four months to take the matter seriously, little was done.

Status updates on the matter were rare and featured exceptionally few details, even though I asked for them frequently.

Apple’s lack of transparency is not only frustrating to security researchers who often work for free, it poses a risk to the millions of people who use Apple products in their day-to-day lives by reducing Apple’s accountability on security matters.

Apple didn’t immediately respond to a request for comment.