It appears that Apple’s HomeKit has a vulnerability that if exploited, could render iPhones useless. This is according to a blog post by security researcher Trevor Spiniolas who discovered the vulnerability and shared the details on his website.
According to Spiniolas, it seems that the vulnerability involves allowing a HomeKit connected device to have its name changed to 500,000 characters. Spiniolas writes:
“When the name of a HomeKit device is changed to a large string (500,000 characters in testing), any device with an affected iOS version installed that loads the string will be disrupted, even after rebooting. Restoring a device and signing back into the iCloud account linked to the HomeKit device will again trigger the bug.”
The researcher says that he had initially reported the bug to Apple way back in August of 2021, but it appears that despite iOS 15.2 being released, the bug is still there. Apple had apparently promised to address it in another update by the end of 2021, but that did not happen, which is why Spiniolas has decided to go public with his discovery.
That being said, it seems that users don’t even need to have devices connected to HomeKit for this bug to occur. It can even affect users who are invited to a Home that contains a HomeKit device with the large string in its name. Those who are affected will then find that their phones will become unresponsive and that any input to the device will either be ignored or significantly delayed.
You can actually see this bug in action in the video above. Hopefully Apple will have a fix for it soon.