Apple releases iOS 15.2.1 to patch a serious HomeKit DDoS vulnerability
The bug was publicly disclosed at the start of the year.
Apple has released iOS 15.2.1, its latest software update for recent iPhone and iPad devices. The patch addresses a vulnerability found within the company’s HomeKit protocol for connecting disparate smart home devices. The bug allowed malicious individuals to force an iPhone or iPad to repeatedly crash and freeze by changing the name of a HomeKit-compatible device to include more than 500,000 characters. Since iOS backs up HomeKit device names to iCloud, it was possible for iOS users to get stuck in an endless loop of crashes.
Security researcher Trevor Spiniolas discovered the vulnerability and publicly disclosed it on January 1st. According to Spiniolas, he informed Apple of the bug back in August. The company had reportedly planned to address the vulnerability before the end of 2021 but later delayed a fix to early 2022. “I believe this bug is being handled inappropriately as it poses a serious risk to users and many months have passed without a comprehensive fix,” Spiniolas said at the time.
Spiniolas found that the vulnerability is present within Apple’s mobile operating system as far back as iOS 14.7, but said he believes it exists in all versions of iOS 14. In other words, if you’ve been holding off on installing iOS 15, now is the time to update your Apple devices.
Update 01/13/22 12:45AM ET: We corrected a typo regarding Apple's timeline to address the vulnerability (thanks, Richard).
