Apple has been taking its time fixing an iOS bug that makes it easy for miscreants to completely disable an iOS device unless the victim performs a factory restore and follows other cumbersome steps, a researcher said.
HomeKit is an Apple-designed communication protocol that allows people to use their iPhones or iPads to control lights, TVs, alarms, and other home or office appliances. Users can configure their devices to automatically discover appliances on the same network, and they can also share those settings with other people so they can use their own iPhones or iPads to control the appliances. The sharing feature makes it easy to allow new people—say, a housesitter or babysitter—to control a user’s appliances.
Trevor Spiniolas, a self-described programmer and “beginning security researcher,” said recently that a bug in the feature allows someone to send an iOS device into an unending crash spiral. It can be triggered by using an extremely long name—up to 500,000 characters in length—to identify one of the smart devices and then getting a user to accept an invitation to that network.
As the demonstration videos below show, the device slowly becomes unresponsive until it eventually seizes up completely. Rebooting the device doesn’t help. By the time the login screen appears, it’s impossible to enter a passphrase. The only thing left to do is to perform a factory restore. And even then, once the device is restored, it will once again become unresponsive as soon as it logs back into the user’s iCloud account during setup.
Spiniolas said that he notified Apple of the bug in August and received a response saying that it would be fixed by the end of the year. Later, the researcher said, Apple said the fix would come in early 2022. That’s when he told the company he planned to disclose the bug publicly.
“I believe this bug is being handled inappropriately as it poses a serious risk to users and many months have passed without a comprehensive fix,” he wrote. “The public should be aware of this vulnerability and how to prevent it from being exploited, rather than being kept in the dark.”
The researcher said Apple recently updated iOS in an attempt to mitigate the problem. The patch limits the number of characters in device names. But that does nothing to prevent an attacker from running an earlier version that allows excessively long device names and then getting someone to accept an invitation. Even if the receiver is running the latest iOS version, the device will be completely locked up.
This denial-of-service bug is relatively tame when compared to the zero-click vulnerabilities that frequently allow attackers to execute malicious code on iPhones. But if Apple wants to encourage users to trust their iOS devices, it really ought to fix this bug. Apple representatives didn’t respond to an email seeking comment for this article.