Apple has taken the time to fix an iOS bug that makes it easy for rogues to completely disable an iOS device unless the victim performs a factory restore and follows other cumbersome steps, a researcher said.
HomeKit is a communication protocol developed by Apple that allows users to use their iPhones or iPads to control lights, televisions, alarms, and other household or office devices. Users can configure their devices to automatically discover devices on the same network, and they can also share these settings with other people so they can use their own iPhones or iPads to control the devices. The sharing function makes it easy to allow new people – for example a house sitter or babysitter – to control a user’s devices.
Trevor Spiniolas, a self-proclaimed programmer and “budding security researcher”, said recently that a flaw in its functionality allows someone to send an iOS device into an endless spiral of descent. It can be triggered by using an extremely long name – up to 500,000 characters long – to identify one of the smart devices and then trick a user into accepting an invitation to join that network.
As the demonstration videos below show, the device slowly stops responding until it finally blocks completely. Restarting the device does not help. When the login screen appears, it is impossible to enter a passphrase. All that remains is to perform a factory restore. Even then, once the device is restored, it will stop responding once it logs back into the user’s iCloud account during setup.
Spiniolas said he notified Apple of the bug in August and received a response saying it would be fixed by the end of the year. The researcher later said Apple said the fix would be in early 2022. At that point, he announced to the company that he intended to publicly release the bug.
“I believe this bug is being handled inappropriately because it poses a serious risk to users and it has been many months without a comprehensive resolution,” he wrote. “The public should be aware of this vulnerability and how to prevent it from being exploited, rather than being kept in the dark.”
The researcher said Apple recently updated iOS to alleviate the problem. The patch limits the number of characters in device names. However, this does not prevent an attacker from running an earlier version that allows excessively long device names and then tricking someone into accepting an invitation. Even if the receiver is running the latest version of iOS, the device will be completely locked.
This denial of service bug is compared to the Zero-click vulnerabilities which often allow attackers Execute malicious code on iPhones. But if Apple wants to encourage users to trust their iOS devices, it really should fix this bug. Apple representatives did not respond to an email asking for a comment on this article.