On Wednesday Apple released iOS 15.2.1 and iPadOS 15.2.1 to its customers. It’s a minor update that contains a few bug fixes, including the HomeKit issue that can cripple your iPhone.
You can install the update by going to Settings > General > Software Update. Here are the release notes:
- Messages may not load photos sent using an iCloud Link
- Third-party CarPlay apps may not respond to input
Security researcher Trevor Spiniolas found a vulnerability within iOS that he reported to Apple, but the issue had remained until now. He found that when you change a HomeKit device’s name to a very large string, it breaks the iPhone. It shuts the device down and rebooting the iPhone didn’t fix the issue. In his testing, Mr. Spiniolas used a 500,000 string of characters. Apple did add a character limit for HomeKit names in iOS 15.1 but devices running earlier versions of iOS could still be affected.
On iOS versions previous to these, an application can trigger the bug since this limit is not present. If the bug is triggered on a version of iOS without the limit and the device shares HomeKit data with a device on an iOS version with the limit, both will be still be affected.
Apple details in its security web page:
- Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)
- Impact: Processing a maliciously crafted HomeKit accessory name may cause a denial of service
- Description: A resource exhaustion issue was addressed with improved input validation.
- CVE-2022-22588: Trevor Spiniolas (@TrevorSpiniolas)
It’s good to see iOS 15.2.1 has fixed the issue.