Red alert for owners of iPhones! A security researcher has just disclosed a bug present in iOS 15.2 (and dating back to iOS 14.7 and maybe even earlier versions) relating to HomeKit that could be used to permanently crash an iPhone.
Trevor Spiniolas found that changing the name of a HomeKit device to a large string (Spiniolas used 500,000 characters for testing) caused the associated iPhone to crash.
To make the situation more complex then, since the device name was saved to the user’s iCloud account, restoring an iPhone and reconnecting to the iCloud account linked to the HomeKit device again triggered the bug.
Rescue, instructions for use
According to the researcher, “[c]The bug poses a significant risk to iOS user data, but the public can protect themselves from the worst of its effects by disabling Home devices in the control center to protect local data. “
The latter decided to make this bug public after initially reporting it to Apple on August 10, and after Apple promised a fix “before 2022”. On December 10, Apple then informed Spiniolas that the patch would arrive “in early 2022”, which is when it decided to release the bug on January 1, 2022. “The public should be aware of this vulnerability and the way to prevent it from being exploited, writes Spiniolas, rather than being kept in the dark. “
Do you think you are affected by this bug? The researcher described the procedure for getting the iPhone to work again:
- Restore the affected device from Recovery or DFU mode;
- Set up the device normally, but do NOT sign in to the iCloud account again;
- Once the installation is complete, sign in to iCloud from settings. Immediately after, turn off the switch labeled “Home”. The device and iCloud should work again without access to home data.
Source: ZDNet.com