UPDATE: As of 12 January 2022 Apple has fixed this security issue in iOS 15.2.1. Read more in
iOS 15.2.1 update closes critical gap in HomeKit – install now.
Apple’s home automation system HomeKit contains a bug that could allow for extremely annoying pranks, and could even cause your iPhone to become unusable.
Trevor Spiniolas (via
9to5Mac) found the bug, which can cause an iPhone or iPad to stop responding to calls and freeze altogether. The bug, like so many others, involves a feature that doesn’t check an input before processing it.
In this case, it concerns the renaming of devices added to the home via the Home app or another HomeKit app. HomeKit doesn’t check the length of the name, and entering an extremely long string of text – we’re talking somewhere in the region of 500,000 characters – freezes not only HomeKit or the Home app, but the entire system.
Worse, because HomeKit accessories are added to your iCloud account and shared to all your devices, the bug spreads to all devices where you’re logged into the same account.
In iOS 15.1, Apple fixed the Home app so that you can’t enter such long names. But the issue hasn’t been fully dealt with: in iOS 15.1 and even in 15.2, nothing prevents other HomeKit-connected apps from triggering the misbehaviour.
Someone who wants to make life miserable for others can create a home that includes an accessory with an extremely long name, then share an invitation to the home. If the recipient accepts the invitation, their device will become unusable.
It’s not even possible to reinstall iOS and load a backup to get rid of the bug because the buggy name is linked to the iCloud account, not that particular device.
How to avoid the bug
If you’ve turned off the HomeKit features in Control Centre, the effect will be milder. The Home app will stop working, but the rest of the system will still be usable.
Until Apple fixes the bug, we recommend that you do not accept any invitations to the Home app.
This article originally appeared on
Macworld Sweden. Translation (using
DeepL) and additional reporting by David Price.