HomeKit Security Flaw Could Crash Your iPhone | How to Protect Yourself

4 Min Read Published: Jan 4th, 2022

Updated: Jan 11th, 2022

Home App in Apple App Store on iPhone 11 Pro

Text Size

- +

Toggle Dark Mode

A security researcher has discovered a new vulnerability in an unlikely place: Apple’s HomeKit framework.

Over the weekend, Trevor Spiniolas, a developer who describes himself as a “beginning security researcher,” revealed a vulnerability that he had discovered in August pertaining to Apple’s HomeKit APIs.

Spiniolas dubbed the vulnerability doorLock, and chose to go public with it after Apple failed to meet its originally promised deadline of resolving it before the end of 2021. The developer explains that he reported the bug to Apple on August 10, 2021, and yet it remains unfixed in iOS 15.2.

According to Spiniolas’ blog, Apple revised its estimate for a fix to “early 2022,” on December 8, after which Spiniolas informed the company that he would be going public with it on January 1, 2022, as he felt that people had a right to know about it.

The public should be aware of this vulnerability and how to prevent it from being exploited, rather than being kept in the dark.Trevor Spiniolas

Spiniolas notes that the problem exists at least as far back as iOS 14.7, and appears to affect both iPhone and iPad devices, but the good news is that it’s not something you’re too likely to bump up against in any real-world scenarios.

The Problem

According to Spiniolas’ testing, changing the name of a HomeKit device to an extremely large string — one of 500,000 characters or more — will cause any device “with an affected iOS version installed” to be disrupted as soon as it accesses that particular HomeKit device.

This problem will persist across reboots, and even after restoring an iPhone or iPad from an iCloud backup, since HomeKit configurations are included in those backups. To make matters worse, the problem will spread to all iOS and iPadOS devices that share the same iCloud account.

After the user’s iPhone is “infected” by the rogue HomeKit device name, at a minimum, the Home app will become unusable. However, if the user has HomeKit device enabled in Control Centre, which happens by default after setting up a new home, then the entire iOS device will effectively crash, whether the user opens the Home app or not.

All input to the device is ignored or significantly delayed, and it will be unable to meaningfully communicate over USB. After around a minute, backboardd will be terminated by watchdog and reload, but the device will remain unresponsive. This cycle will repeat indefinitely, with an occasional reboot. Rebooting, though, does not resolve the issue, nor does updating the device. Since USB communication will no longer function except from Recovery or DFU mode, at this point the user has effectively lost all local data as their device is unusable and cannot be backed up.Trevor Spiniolas

On his blog, Spiniolas shares several videos showing the bug in action, and offers some suggestions for how users who have been impacted can recover from this scenario. This basically amounts to forcing your device into Recovery or DFU mode, restoring it, and then avoiding signing in to iCloud until you have an opportunity to disable the synchronization of HomeKit data in iCloud Settings.

Four months ago I discovered and reported a serious denial of service bug in iOS that still remains in the latest release. It persists through reboots and can trigger after restores under certain conditions. https://t.co/SAFbqyZdxY— Trevor Spiniolas (@TrevorSpiniolas) January 1, 2022

How to Prevent It

Even though Spiniolas describes this vulnerability as a “significant risk to the data of iOS users,” it’s safe to say that statement is a bit alarmist, since most users are very unlikely to fall victim to this attack.

The problem only occurs if you have a device on your HomeKit network that has a name of 500,000 characters or more. That’s not going to happen accidentally, and Apple’s security makes it unlikely that anybody would be able to compromise your HomeKit network to rename one of your devices in that way. That would have to be a targeted attack.

In fact, the most likely vector for this attack is for a malicious actor to set up a fake HomeKit network, and then invite potential victims to join that Home as guests, likely via a phishing email or direct HomeKit notification.

So, the moral of the story here is, don’t accept invitations to control any strange homes. If you do get a HomeKit invitation that looks like it could have come from someone you know, check with them first before accepting it, just to make sure.

This bug doesn’t get triggered until you actually join a HomeKit network, and your iPhone or iPad loads in the device names from that network. Further, while this bug will render your iPhone unusable, there’s no evidence that it provides hackers with any way to get at your data or otherwise take control of your iPhone. This makes it of very little value for professional criminals, but that doesn’t mean somebody might not take advantage of it for reasons of personal nastiness, or simply as a way to prank their so-called friends.