Apple has patched an iOS bug that could cause connecting to a HomeKit smart home setup to crash your smartphone or tablet.
The latest iOS version 15.2.1 update deals with the bug reported by the Verge, which was originally spotted by security researcher Trevor Spiniolas who disclosed it to Apple in August 2021, per his Jan 1 blogpost.
The vulnerability in the HomeKit, the software API used to connect smart home devices to iOS apps, works by giving a HomeKit device an extremely long name of about a half million characters long.
When an iOS device connects, attempting to read that name will lock it in a freeze-crash-reboot cycle that requires a complete wipe of the iOS device to fix.
For extra nastiness, as HomeKit device names are backed up to iCloud, signing in with the same account restores the problematic name and triggers the issue again.
Before the latest patch, the only way to avoid this death loop was to immediately reject invitations to join an unfamiliar Home network.
On Apple’s support page, the latest update states that the HomeKit fix addresses how “processing a maliciously crafted HomeKit accessory name may cause a denial of service”.
The Verge notes that the fix likely works by preventing long HomeKit device names from being read into memory by iOS devices.
According to Spiniolas’ blog, the bug had not been addressed for quite a while, and could affect devices with iOS versions as far back as 14.7. Thus users are recommended to update their devices to avoid the problem.