Apple fixes HomeKit API bug that freezes iPhones and iPads

Apple’s latest update fixes a HomeKit API bug which maliciously uses an extremely long name for smart home devices such as the HomePod mini (pic) to ‘lock’ iOS devices that try to connect to it. — Apple

Apple has patched an iOS bug that could cause connecting to a HomeKit smart home setup to crash your smartphone or tablet.

The latest iOS version 15.2.1 update deals with the bug reported by the Verge, which was originally spotted by security researcher Trevor Spiniolas who disclosed it to Apple in August 2021, per his Jan 1 blogpost.

The vulnerability in the HomeKit, the software API used to connect smart home devices to iOS apps, works by giving a HomeKit device an extremely long name of about a half million characters long.

When an iOS device connects, attempting to read that name will lock it in a freeze-crash-reboot cycle that requires a complete wipe of the iOS device to fix.

For extra nastiness, as HomeKit device names are backed up to iCloud, signing in with the same account restores the problematic name and triggers the issue again.

Before the latest patch, the only way to avoid this death loop was to immediately reject invitations to join an unfamiliar Home network.

On Apple’s support page, the latest update states that the HomeKit fix addresses how “processing a maliciously crafted HomeKit accessory name may cause a denial of service”.

The Verge notes that the fix likely works by preventing long HomeKit device names from being read into memory by iOS devices.

According to Spiniolas’ blog, the bug had not been addressed for quite a while, and could affect devices with iOS versions as far back as 14.7. Thus users are recommended to update their devices to avoid the problem.

Article type: free
User access status:
Join our Telegram channel to get our Evening Alerts and breaking news highlights

Next In Tech News

Opinion: Why are my grandkids so fascinated with toy influencers?
Is the allure of cryptocurrency fading?
Two women in the US believe Apple AirTag was used to stalk them after leaving restaurant
Why Microsoft spends US$69bil for video games
Wordle up: Online word game is viral brain teaser
Boulben withdraws from race for Orange CEO post, le Figaro reports
Bitcoin falls 5.6% to $34,448
Car-buyer backlash looms as automakers pursue software riches
'Mario Party Superstars': A family-friendly nostalgia trip
Bitcoin mining’s hearing in US house questions power usage

Others Also Read