Illustration by Alex Castro / The Verge
You should always be wary of invites to a stranger’s Home.
That’s the upshot of a new piece of security research that has found a vulnerability capable of locking iOS devices into a spiral of freezing, crashing, and rebooting if a user connects to a sabotaged Apple Home device.
The vulnerability, discovered by security researcher Trevor Spiniolas, can be exploited through Apple’s HomeKit API, the software interface that allows an iOS app to control compatible smart home devices. If an attacker creates a HomeKit device with an extremely long name — around 500,000 characters — then an iOS device that connects to it will become unresponsive once it reads the device name and enter a cycle of freezing and rebooting that can only be ended by wiping and restoring the iOS device.
What’s more, since HomeKit device names are backed up to iCloud, signing in to the same iCloud account with a restored device will trigger the crash again, with the cycle continuing until the device owner switches off the option to sync Home devices from iCloud.
Though it’s possible that an attacker could compromise a user’s existing HomeKit-enabled device, the most likely way the exploit would be triggered is if the attacker created a spoof Home network and tricked a user into joining via a phishing email.
To guard against the attack, the main precaution for iOS users is to instantly reject any invitations to join an unfamiliar Home network. Additionally, iOS users who currently use smart home devices can protect themselves by entering the Control Center and disabling the setting “Show Home Controls.” (This won’t prevent Home devices from being used but limits which information is accessible through the Control Center.)
Spiniolas released details on his personal website on January 1, 2022. He was previously credited by Apple for discovering a vulnerability in macOS Mojave that was patched in 2019. The new vulnerability affects the latest iOS version, 15.2, and goes back at least as far as 14.7, Spiniolas said.
Spiniolas also accused Apple of being slow to respond to the initial disclosure, which was made months before the public release. The researcher shared emails with The Verge that appeared to show an Apple representative acknowledging the issue and requesting Spiniolas refrain from publishing details until early 2022. The blog post detailing the vulnerability claims that Apple was made aware of the issue on August 10, 2021.
“Apple’s lack of transparency is not only frustrating to security researchers who often work for free, it poses a risk to the millions of people who use Apple products in their day-to-day lives by reducing Apple’s accountability on security matters,” Spiniolas wrote.
Apple had not responded to a request for comment by time of publication.