HomeKit bug turns iPhone into useless brick

According to security researcher Trevor Spiniolas, bad guys only need to edit the name of the HomeKit device to something about 500,000 characters long to cause the above error.

In his personal blog post, Spiniolas shared that he reported this bug to Apple on August 10, but it is still in iOS 15.2. Apple promised to address the issue in an update released before 2022 but failed to deliver on that promise.

Now Apple has promised again that they will look into the issue in early 2022. However, Spinolas couldn't wait any longer, so it self-published the vulnerability to warn users.

"When the name of a HomeKit device is changed to a long string (500,000 characters in my testing) any device with the affected iOS version installed will be interrupted when loading the string, loading thread continues to break after reboot. Restoring the device to factory condition and re-login to the iCloud account associated with that HomeKit device will cause the error again," Spiniolas wrote.

The security researcher further noted that in iOS 15.1 (probably iOS 15.0) Apple added a limit on the length of names an app or user can give HomeKit accessories. However, it is not clear why the previous versions and this limited version of iOS 15.2 were removed.

Notably, this bug affects users with no Home devices added. This happens when someone accepts an invitation to Home that contains a HomeKit device with a long string name.

"If an attacker exploits this vulnerability, they only need to send out invitations to join Home to be able to damage the victim's iPhone," Spiniolas said.

Here is a demo video of an iPhone with an error:

Hopefully Apple will take measures to fix this problem soon!

Samuel Daniel

Update 08 January 2022