August 15, 2022
HomeKit vulnerability may cause iOS devices to freeze, crash

Apple’s iOS-based devices can go into cycles of freezing and crashing and eventually become unusable due to a HomeKit vulnerability that has been uncovered by a security researcher. The problem is present in all iOS versions starting with iOS 14.7. The researcher said that iPhone users on the latest iOS version are also affected by the denial of service vulnerability. Apple is said to be aware of the issue and reportedly promises to address it before 2022. However, the defect is yet to be rectified.

Security researcher Trevor Spiniolas Detailed The scope of the HomeKit vulnerability that was initially reported to Apple on August 10 last year. The researcher explained that an attacker could exploit the flaw and connect your iPhone or iPad to a HomeKit device and get into a cycle of freezing and crashing, which has a fairly long name of about 500,000 characters.

iOS device is said to become unresponsive after reading the device name. The attacker can also trigger the vulnerability by using the app to rename an existing HomeKit device. Alternatively, this can be exploited by sending an invitation to a new HomeKit device with a longer name.

According to the researcher, Apple introduced a limit to the name for an app or user for a HomeKit device in iOS 15.1. This would help mitigate the impact to some extent as the attacker could not affect users by triggering the vulnerability after renaming one of the HomeKit devices. But even then, the problem can still affect users on newer iOS versions if the HomeKit device is connected via an invite with a very long name.

The researcher also found that since Apple stores the names of connected HomeKit devices in iCloud, the problem persists even if a user restores the iOS device.

“If the device is restored but then signs back into the previously used iCloud, the Home app will become unusable once again,” the researcher said.

Spiniolas has made a video to give a brief look at the impact of the vulnerability even after restoring the iPhone.

Users can decline random invites from HomeKit devices on their iPhone and iPad to avoid being hit by the vulnerability. Users who are already using a smart home device can also protect their hardware by going to Control Center and disabling the Show Home Control setting.

If you’ve already been targeted by an attacker, the researcher recommends that you can fix the problem after you restore the affected device from recovery or DFU mode and set it up normally without signing up for your iCloud account. can do. Once you’ve signed up, you should sign in to iCloud from Settings and then immediately after signing in, disable the switch labeled Home.

Spiniolas said that although it notified Apple about the bug in August, the company had failed to fix it since its January 1 deadline.

“I believe this bug is being handled inappropriately because it poses a serious risk to users and several months have passed without a comprehensive fix,” the researcher said.

In 2019, Apple assessed Spiniolas to report vulnerability in macOS Mojave. However, the researcher accused the iPhone maker of giving inadequate response to the latest vulnerability.

Gadgets 360 has contacted Apple for comment on the matter. This report will be updated when the company responds.

Leave a Reply

Your email address will not be published.