Apple iPhone users can be blackmailed by attackers
Without any Home devices enabled in the Control Center, the Home app will crash as soon as it is opened making it impossible to use. Rebooting or restoring the phone won’t help because once signed in to the same iCloud account, the Home app will continue with the same behavior. Now if the user does have a Home device enabled in the Control Center, iOS becomes unresponsive and will loop with an “occasional reboot.”
And this can be exploited for financial reasons. The attacker could send an email from an address similar to Apple services or an HomeKit product in an attempt to get an iPhone user to accept the invitation and ask for a payment to rectify the issue. This could take place even if the iPhone user doesn’t own a HomeKit product.
As we noted at the top of this article, Apple has already been informed about this bug, and the researcher blasts Apple for its “lack of transparency” that “poses a risk to the millions of people who use Apple products in their day-to-day lives by reducing Apple’s accountability on security matters.” He says that Apple was supposed to fix this bug before the end of last year, but instead, it will issue a patch early this year.
Apple is expected to issue an update early this year
Spiniolas says that “A reliable method of regaining access to local data after the bug has been triggered has not been identified.” However, restoring the iPhone and signing into a new iCloud is possible if one were to follow these directions posted by the security researcher:
- Restore the affected iPhone from Recovery or DFU Mode.
- Setup the device as you would normally do, but refrain from signing back into the iCloud account.
- After setup is finished, go ahead and sign in to iCloud from settings. As soon as you do this, disable the switch labeled “Home.”
The affected handset and iCloud should now work without access to Home data. If you need to have access to Home data and are able to install the testing application with Xcode, follow the three steps posted above and add the following:
- Press the back button and then press Control Center settings again which will reload the page reload the page.
- Keep doing this until a setting labeled “Show Home Controls” is visible. Disable the setting immediately.
- Install the test application and run it using a short string that will change the name of all associated Home devices.
Spiniolas throws in his two cents by stating that “This bug poses a significant risk to the data of iOS users, but the public can protect themselves from the worst of its effects by disabling Home devices in control center in order to protect local data. In regards to Apple’s awareness of the issue, I found their response to be insufficient. Despite them confirming the security issue and me urging them many times over the past four months to take the matter seriously, little was done.”