An annoying bug that could send an iPhone or iPad into a seemingly endless boot loop of death using Apple's Home app has been disclosed. The researcher who found it claims Apple doesn't care enough about the flaw to fix it quickly.
"I believe this bug is being handled inappropriately as it poses a serious risk to users and many months have passed without a comprehensive fix," wrote security researcher Trevor Spiniolas (opens in new tab) in a PDF posted online earlier this month. "The public should be aware of this vulnerability and how to prevent it from being exploited, rather than being kept in the dark."
We're not so sure how much of a security risk this flaw — which Spiniolas calls "DoorLock" — actually poses, though it may appear that your iPhone is hopelessly bricked without possibility of recovery. (There are ways to rescue your iPhone, which we'll discuss below.)
But iPhone and iPad users should take steps to protect themselves against pranksters and trolls who might exploit the flaw for their own amusement.
We've also sent a request to Apple for comment on the issue, and we will update this story when we get a reply.
DoorLock: What's in a name?
According to Spiniolas, the bug is triggered when a very long name — we're talking hundreds of thousands of characters — is assigned to a device on a local HomeKit network, Apple's implementation of smart-home networking. Any iOS device linked to the network can arbitrarily change a device name.
"When the name of a HomeKit device is changed to a large string (500,000 characters in testing), any device with an affected iOS version installed that loads the string will be disrupted, even after rebooting," Spiniolas wrote in a blog post (opens in new tab).
Somehow (probably because very long names might "overflow" a memory allocation), this causes the Home app on iOS devices linked to the HomeKit network to crash, and to keep crashing until the troublesome device is renamed. Tom's Guide has not tried to replicate any of these issues, so we can't confirm they always work.
Even worse, says Spiniolas, if an iOS device has the Home app enabled in the Control Center (the swipe-down menu you access from an iPhone's main screen), then the iOS device will freeze up and become unresponsive.
Rebooting the device won't help, as the Home app will be loaded before the user can get to the Settings screen to remove Home from the Control Center. Even doing a full restore (which wipes the user data on the phone) will resolve matters only until the user logs into their iCloud account.
"Restoring a device and signing back into the iCloud account linked to the HomeKit device will again trigger the bug," wrote Spiniolas.
Recent versions of iOS all affected
The flaw affects at least iOS 14.7 and 14.8, Spiniolas wrote, and likely all versions of iOS 14. (Tom's Guide suspects all versions of iOS that support HomeKit, dating back to iOS 8, may be susceptible.)
Beginning with iOS 15 or maybe the 15.1 update, Spiniolas wrote — both of which were released after he disclosed the bug to Apple — users were prevented from giving HomeKit devices very long names. However, iOS 15 devices will still crash/freeze up as described above if they join HomeKit networks on which such devices are present.
Spiniolas says it's possible for attackers to invite iOS device users to join malicious HomeKit networks, or to change the names of devices on HomeKit networks that they're already joined. He even worries that this could lead to ransomware-like attacks on iOS devices, in which attackers could hold devices "hostage" until a ransom is paid, although we think that's unlikely.
As Sophos' Paul Ducklin (opens in new tab) wrote in a blog post of his own last week, "The good news is that the bug doesn't let attackers spy on your phone (or your HomeKit devices), steal data such as passwords or personal messages, install malware, rack up fraudulent online charges or mess with your network."
Spiniolas says he told Apple about this flaw on Aug. 10, 2021, but that the company keeps pushing back the date of a fix so that it's now "early 2022." Again, we've asked Apple for clarification.
How to get out of a boot loop caused by the DoorLock flaw
If you find your iOS device freezing up due to this flaw (and we think that's very unlikely), then Spiniolas says you'll need to perform a system restore process that will fully erase all the user data on your iPhone or iPad. (This is best done when "tethered" via a USB cable to a Mac or a PC, but here's how to do an iOS system restore without a computer (opens in new tab).)
However, don't sign into your iCloud account when the iOS device prompts you to, says Spiniolas. Instead, wait until the iPhone or iPad is fully set up locally, and then sign into iCloud from the Settings menu — and disable the switch labeled Home immediately.
Spiniolas doesn't address another possible way out: If you have HomeKit and the Home app set up on your Mac (opens in new tab) (available in macOS 10.14 Mojave and later), then you might be able to just rename the troublesome devices directly from your Mac without needing to perform a factory-restore process on your iOS devices. That's assuming there's no flaw similar to this one in the Mac version of the Home app.
How to avoid getting snagged by the DoorLock flaw
Fortunately, it's very easy to make sure you're not affected by any possible (however unlikely) attacks that exploit this flaw. As Sophos' Ducklin explains, the first steps are to not let anyone you don't live with join your HomeKit network — and to not join anyone else's HomeKit network even if they invite you. Really, that's just common sense.
To make sure you're never trapped in a HomeKit boot loop, Ducklin recommends pre-emptively removing Home from your iOS devices' Control Centers, which you can do in Settings > Control Center > Customize Controls.
Finally, and this is something all iOS users should do, regularly back up your devices to your Mac or PC of choice so that all your user data can be accessed without having to reach out to iCloud.
UPDATE: Apple releases iOS update to fix this flaw
We haven't had a chance to test the efficacy of the patch ourselves, but Apple described the update thus: "A resource exhaustion issue was addressed with improved input validation."
It added that the flaw's impact was that "Processing a maliciously crafted HomeKit accessory name may cause a denial of service."
In case there was any doubt which flaw was being fixed, credit was given to Spiniolas for its discovery. The flaw was also assigned the catalogue number CVE-2022-22558. HomeKit users should be grateful for Spiniolas for making a stink about this situation and getting it resolved.