Apple has taken its time to fix an iOS bug that makes it easy for crooks to completely disable an iOS device unless the victim performs a factory reset and takes other cumbersome steps, one researcher said.
HomeKit is a communication protocol designed by Apple that allows people to use their iPhones or iPads to control lights, televisions, alarms, and other home or office appliances. Users can configure their devices to automatically discover devices on the same network, and they can also share those settings with other people so that they can use their own iPhones or iPads to control the devices. The sharing feature makes it easy to allow new people, for example a house keeper or babysitter, to control a user’s home appliances.
Trevor Spiniolas, a self-described programmer and “beginning security researcher,” said recently that a bug in the feature allows someone to send an iOS device into an endless lockdown spiral. It can be activated by using an extremely long name, up to 500,000 characters in length, to identify one of the smart devices and then have a user accept an invitation to that network.
As the demo videos below show, the device slowly becomes unresponsive until it finally crashes completely. Restarting the device doesn’t help. By the time the login screen appears, it is impossible to enter a passphrase. The only thing left to do is perform a factory reset. And even then, once the device is restored, it will once again become unresponsive as soon as they log back into the user’s iCloud account during setup.
Spiniolas said it notified Apple of the bug in August and received a response saying it would be fixed by the end of the year. Later, the researcher said, Apple said the fix would arrive in early 2022. That’s when it told the company that it planned to publicly disclose the bug.
“I think this bug is being handled inappropriately as it poses a serious risk to users and many months have passed without a comprehensive solution,” he wrote. “The public must be aware of this vulnerability and how to prevent it from being exploited, rather than remain in the dark.”
The researcher said that Apple recently updated iOS in an attempt to mitigate the problem. The patch limits the number of characters in device names. But that doesn’t stop an attacker from running an older version that allows excessively long device names and then having someone accept an invitation. Even if the receiver is running the latest version of iOS, the device will be completely locked.
This denial of service error is relatively tame compared to zero-click vulnerabilities that frequently allow attackers to execute malicious code on iPhones. But if Apple wants to encourage users to trust their iOS devices, it really should fix this bug. Representatives for Apple did not respond to an email seeking comment for this story.