Security Researcher Travis Spiniolas recently disclosed an issue with iOS prior to version 15.2 where a string involving a HomeKit device name or invite above 500,000 characters will trigger a boot-loop type lock, rendering a device unusable. Spiniolas advised, “Restoring a device and signing back into the iCloud account linked to the HomeKit device will again trigger the bug.” In order to restore device functionality, one must quickly disable iCloud synchronization in the settings after reset. Failing to do so will result in the same scenario.
Important notes about the vulnerability include:
- An exploited device sharing HomeKit data with a device with a character limit in place causes that secondary device to be affected as well.
- If no HomeKit devices are active, the bug will be triggered by an invite with a device meeting the 500k+ character requirement.
Spiniolas cautions they see an avenue towards ransomware attacks on iOS using this bug via invitations being sent out with spoofed or similar email addresses to Apple or HomeKit device manufacturers.