TECH: A flaw in Apple HomeKit can cause iPhones to crash.

January 5, 2022, 3:37 pm

Poor man­age­ment of the names of con­nect­ed objects can freeze the oper­at­ing sys­tem. No fix­es are avail­able at this time.
Secu­ri­ty researcher Trevor Spin­io­las has just revealed the exis­tence of a flaw in Apple’s Home­K­it home automa­tion soft­ware, which allows trig­ger­ing a denial of ser­vice on any device run­ning iOS, includ­ing cur­rent ver­sion 15.2. The bug is found in the man­age­ment of the names of objects con­nect­ed to a Home­K­it net­work. If any of these names are too long (over 500,000 char­ac­ters for exam­ple), any iOS device that con­nects to that net­work will crash, as seen in this video.

The most like­ly attack sce­nario would then be for an attack­er to cre­ate such a Home­K­it net­work and then invite some­one to join. If the per­son agrees, the device will down­load the data from that Home­K­it net­work through iCloud, then the oper­at­ing sys­tem will freeze. The only way out of this mess is to restore the device with­out sign­ing into iCloud. When the device is oper­a­tional again, you can log in to iCloud as long as you imme­di­ate­ly dis­able access to Home­K­it, to avoid down­load­ing mali­cious data.

Obvi­ous­ly, this solu­tion is not very sat­is­fac­to­ry, because we lose the Home­K­it func­tion­al­i­ty. Those with Xcode devel­op­ment skills can take it a step fur­ther and use the exploit code that Trevor Spin­io­las post­ed on GitHub to rename all the object names on the mali­cious Home­K­it net­work. Unfor­tu­nate­ly, there is no eas­i­er way to solve the problem.

Apple was alert­ed to the issue on August 10, 2021. The com­pa­ny has indi­cat­ed it will pro­vide an “ear­ly 2022” fix, but the researcher believes the flaw deserves more atten­tion. “I think this bug allows ran­somware to be cre­at­ed on iOS, which is incred­i­bly impor­tant,” he said in a blog post. Giv­en this risk, Spin­io­las felt it was bet­ter to let the pub­lic know now, rather than wait for a patch to be released.

Be the first to comment

Leave a Reply

Your email address will not be published.