iOS 15.2.1 and iPadOS 15.2.1 Address HomeKit Vulnerability

Apple today released iOS 15.2.1 and iPadOS 15.2.1, minor updates that include an important security fix for a known HomeKit vulnerability that was first discovered last year.

According to Apple’s security support document for the update, it addresses an issue that could cause a maliciously crafted ?HomeKit? name to result in a denial of service, causing iPhones and iPads not to work.

Apple says that it was caused by a resource exhaustion issue that has now been addressed with improved input validation.

The ?HomeKit? bug was first highlighted in January by Bleeping Computer after being discovered by Trevor Spiniolas. Called “doorLock,” the vulnerability is executed by changing the name of a ?HomeKit? device to something with over 500,000 characters.

Attempting to load such a large string of characters causes the iOS device to be sent into a denial of service state, and a forced reset is the only way to recover. Resetting the device results in a loss of data unless there is an available backup, and signing back into an affected iCloud account linked to the broken ?HomeKit? device name can re-trigger the bug.

Apple partially fixed the bug in iOS 15.1 by limiting the length of the name that can be set for a ?HomeKit? device or app, but it didn’t entirely fix the issue because malicious people exploiting the vulnerability could use Home invitations rather than a device to trigger the attack.

Because this bug could result in data loss at worst and a device reset at best, it’s worth updating to the iOS and iPadOS 15.2.1 updates right away.Related Roundups: iOS 15, iPadOS 15Related Forum: iOS 15This article, “iOS 15.2.1 and iPadOS 15.2.1 Address HomeKit Vulnerability” first appeared on MacRumors.comDiscuss this article in our forums

Go to Source
Author: Juli Clover