New hacker trick makes iPhones and iPads unusable

Normally, Apple is quick to fix vulnerabilities in iOS. But the company is taking its time with one particularly dangerous bug.

A security researcher has discovered a bug in Apple’s HomeKit platform that can render the iPhone or iPad unusable in the worst case. The vulnerability affects the Home app, which allows users to control their smart home devices.

HomeKit bug freezes iPhone and iPad.

Security researcher Trevor Spiniolas reports on his private blog how hackers could exploit the vulnerability. According to the report, it is sufficient to change the name of a smart home device stored in the Home app to a combination of 500,000 characters (letters, numbers and special characters). If an iPhone or iPad tries to display this combination of characters in the Home app, the entire operating system freezes. Even after a complete factory reset, this problem persists when logging back in with the iCloud account that the smart home device is tied to. Spiniolas found the bug on iPhone 7, iPhone Xs and iPad 6 running iOS versions 14.7 to 15.2.

How can hackers exploit the vulnerability?

What makes the HomeKit bug so dangerous is that it doesn’t require any special malware or hacking skills. This is because the Home app in iOS allows smart home devices to be shared with other people. Attackers therefore only need to send invitations with a manipulated smart home system. The email address is already sufficient as a contact.

If you accept this invitation, two things can happen:

  1. If you don’t have any smart home devices stored in the Home app yourself, and Home controls are disabled in the Control Center, only the app crashes. But even after resetting the iPhone, the app remains unusable because the manipulated data is stored in iCloud.
  2. Once the Home controls are enabled in the Control Center, the attack causes the operating system to freeze completely. The controls are automatically in the control center as soon as one has set up a smart home device in the Home app. Neither rebooting nor updating solves the problem, rendering the iPhone or iPad unusable. Connecting via USB to a computer is also not possible, making locally stored files inaccessible. Even after a reset, the error still persists when logging back in with the iCloud account.

As if that wasn’t enough, other iPhones and iPads can also be infected with the bug. This is because all devices on which one is logged in with the iCloud account share the Home app data with each other. If an iPhone is affected by the HomeKit attack and syncs with other devices, the bug jumps to it.

Spiniola’s fear is that attackers could abuse the vulnerability for blackmail. If they use manipulated HomeKit invitations to render users’ iPhones and iPads unusable, they could demand a ransom to unlock access.

Apple is taking its time with a bug fix for HomeKit

The security researcher reported the bug to Apple back in August 2021. The company vowed to roll out a bug fix that same year. But in December, Apple postponed the fix until early 2022. If Spiniolas has his way, that’s not fast enough, which is why he is now reporting the vulnerability on his private blog. His reasoning for making the bug public before Apple does: “the public should know about this vulnerability and how to protect themselves from exploiting it, rather than being kept in the dark about it.” Since Apple has not yet fixed the vulnerability, the bug remains in the latest iOS 15.2.

It’s true that Apple added a limit to the character length a smart home device can have in iOS 15.1. However, hackers could simply use older iOS versions to change the name to 500,000 characters. If they share the manipulated smart home with an iPhone running iOS 15.1 or later, it will crash despite the character limit.

How can users protect themselves?

Since Apple itself has not yet provided a patch for the vulnerability, it is up to users to protect themselves. First and foremost, don’t accept HomeKit invitations from unknown contacts, even if they sound like an official Apple sender or smart home device.

It can also help to disable the Home controls in the Control Center if you don’t use the Home app at all. To do so, you need to go to Settingsyoukuohao_52f27gfH$32JControl Centeryoukuohao_52f27gfH$32JHome controls and disable the option.

If a device is already infected, the only solution is to reset it to factory settings. It is important not to log in with the previous iCloud account when resetting, as the device will then reinfect itself. Also, on all other iPhones and iPads connected to the same iCloud account, you should delete the Home app for the time being.

atechbook will inform you as soon as a security patch is available from Apple.

Sources

  • Blog by Trevor Spiniolas
  • 9to5Mac