A security researcher has publicly disclosed a bug present in iOS 15.2 (and going back to iOS 14.7 and possibly earlier) relating to HomeKit that could be used to permanently crash an iPhone.
Trevor Spiniolas found that by changing the name of a HomeKit device to a large string (Spiniolas used 500,000 characters for the testing), this would crash the associated iPhone.
To make matters worse, because the device name would be backed up to the user’s iCloud account, restoring a iPhone and signing back into the iCloud account linked to the HomeKit device would once again trigger the bug.
According to Spiniolas, “[t]his bug poses a significant risk to the data of iOS users, but the public can protect themselves from the worst of its effects by disabling Home devices in control center in order to protect local data.”
Spiniolas decided to make this bug public after initially reporting the bug to Apple on August 10, and Apple promising a fix “before 2022.” December 10, Apple then informed Spiniolas that the fix would come “early 2022,” which is when he decided to make the bug public on January 1, 2022.
“The public should be aware of this vulnerability and how to prevent it