The flaw can be exploited by using Apple’s HomeKit API, which is a software interface that allows an iOS app to control compatible smart home devices.
It was discovered by security researcher Trevor Spiniolas. An iOS device connected to a HomeKit device with a long name (around 500,000 characters) will become unresponsive once it reads the device name and enter a cycle of freezing and rebooting that can only be stopped by wiping and restoring the iOS device.
Furthermore, because HomeKit device names are backed up to iCloud, signing in to the same iCloud account with a restored device will cause the crash to occur again, and the cycle will continue until the device owner disables the iCloud sync option.
Though an attacker could compromise a user’s existing HomeKit-enabled device, the most likely way for the exploit to be activated is if an attacker created a spoof Home network and enticed a user to join via phishing email.
To protect themselves from the attack, iOS users should immediately reject any invitations to join an unfamiliar Home network. Additionally, iOS users who use smart home devices can protect themselves by going to the Control Center and disabling the setting “Show Home Controls.” (This will not prevent users from using Home devices, but it will limit the information available through the Control Center.)
Apple, according to Spiniolas, was slow to respond to the initial disclosure, which was made months before it was made public. The Verge obtained emails from the researcher that appeared to show an Apple representative acknowledging the problem and requesting that Spiniolas wait until early 2022 to publish details. According to the blog post detailing the vulnerability, Apple was notified of the flaw on August 10, 2021.
“Apple’s lack of transparency is not only frustrating for security researchers who often work for free,” Spiniolas wrote, “but it also poses a risk to the millions of people who use Apple products in their daily lives by reducing Apple’s accountability on security matters.”
By the time of publication, Apple had not responded to a request for comment.