A security researcher has reported an iOS 15.2 bug that can render an iPhone completely useless even after a restore. Apple apparently is aware of the bug and promises a fix in early 2022.
Trevor Spiniolas has discovered a bug that can be exploited through the HomeKit API. An attacker exploiting the bug would use the API to change the names of a user’s HomeKit devices to something extremely lengthy (the test name had 500,000 characters), which will in turn be backed up to the associated iCloud account. If the user has Home devices enabled in Control Center, the iPhone will become unresponsive.
Spiniolas says rebooting or restoring the device doesn’t help as long as the user continues to sign into the same iCloud account. There are workarounds but the only fix would be to rename the HomeKit devices using the API.
Apple is aware of the issue, according to Spiniolas, who reported the bug in August. He says he informed Apple he would be publishing the results of his findings in January 2022 and criticizes Apple’s “lack of transparency” that “poses a risk to the millions of people who use Apple products in their day-to-day lives by reducing Apple’s accountability on security matters.” He says Apple has delayed the fix, which was originally due to arrive in December, until early 2022.
While it may seem like a farfetched case, Spiniolas warns that the issue raises the possibility of ransomware. In addition to changing the names of a user’s HomeKit devices, he also paints a picture where an attacker “could also send invitations to a Home containing the malicious data to users on any of the described iOS versions, even if they don’t have a HomeKit device.”
He purports that an attacker “could use email addresses resembling Apple services or HomeKit products to trick less tech-savvy users (or even those who are curious) into accepting the invitation and then demand payment via email in return for fixing the issue.”
Spiniolas outlines how to fix the issue by restoring the iPhone without signing into the same iCloud account, then singing in after setup and immediately disabling the “Home” switch. He also recommends removing Home shortcuts from the Control Center.