iOS-based devices could go into a cycle of freezing and crashing and eventually become unusable due to a HomeKit vulnerability that has been exposed by a security researcher. The issue exists in all iOS versions, starting with iOS 14.7.
iPhone users on the latest iOS version are also affected by the denial-of-service vulnerability, the researcher said. Apple is said to be aware of the issue and allegedly promise to address it before 2022. The flaw is, however, yet to be fixed.
Security researcher Trevor Spiniolas has detailed the scope of the HomeKit vulnerability that was initially reported to Apple on August 10 last year. The attacker can exploit the flaw and bring your iPhone or iPad in a cycle of freezing and crashing by connecting it with a HomeKit device that has an extensively lengthy name of around 500,000 characters, the researcher explained.
The iOS device is said to become unresponsive once it reads the device name. The attacker could also trigger the vulnerability by using an app to rename an existing HomeKit device. Alternatively, it could be exploited by sending an invite to a new HomeKit device that has a long name.
According to the researcher, Apple introduced a limit for the name an app or the user can set for a HomeKit device in iOS 15.1. This will help reduce the impact to some extent as the attacker couldn’t impact users by triggering the vulnerability after renaming one of the connected HomeKit devices.
However, the issue can still impact users on the newer iOS versions if a HomeKit device with an extremely long name is connected via an invite.
The researcher also found that since Apple stores names of the connected HomeKit devices in iCloud, the issue persists even if a user restores an iOS device. “If the device is restored but then signs back into the previously used iCloud, the Home app will once again become unusable,” the researcher said.
In 2019, Apple credited Spiniolas for reporting a vulnerability in macOS Mojave. The researcher, however, accused the iPhone maker of giving insufficient response to the fresh vulnerability.