Security Researcher Travis Spiniolas recently disclosed an issue with iOS prior to version 15.2 where a string involving a HomeKit device name or invite above 500,000 characters will trigger a boot-loop type lock, rendering a device unusable. Spiniolas advised, “Restoring a device and signing back into the iCloud account linked to the HomeKit device will again trigger the bug.” In order to restore device functionality, one must quickly disable iCloud synchronization in the settings after reset. Failing to do so will result in the same scenario.
Important notes about the vulnerability include:
- An exploited device sharing HomeKit data with a device with a character limit in place causes that secondary device to be affected as well.
- If no HomeKit devices are active, the bug will be triggered by an invite with a device meeting the 500k+ character requirement.
Spiniolas cautions they see an avenue towards ransomware attacks on iOS using this bug via invitations being sent out with spoofed or similar email addresses to Apple or HomeKit device manufacturers.
Vulnerabilities such as this highlight a need to update all devices often, ensuring latest security fixes are applied to the device. While Apple has added a character limit, they did not remedy the core issue with how iOS handles naming conventions in HomeKit. As phishing is the most common avenue of infection it would be trivial for any group, skilled or not, to attempt a campaign as described in the report. As always, vigilance when reviewing or clicking any link in any digital communication is a key factor in preventing exploitation.