Apple releases iOS 15.2.1 to patch a serious HomeKit DDoS vulnerability

The bug was publicly disclosed at the start of the year.

Sponsored Links

Apple iOS 15 beta on iPhone
Apple iOS 15 beta on iPhone Cherlynn Low/Engadget

Apple has released iOS 15.2.1, its latest software update for recent iPhone and iPad devices. The patch addresses a vulnerability found within the company’s HomeKit protocol for connecting disparate smart home devices. The bug allowed malicious individuals to force an iPhone or iPad to repeatedly crash and freeze by changing the name of a HomeKit-compatible device to include more than 500,000 characters. Since iOS backs up HomeKit device names to iCloud, it was possible for iOS users to get stuck in an endless loop of crashes.

Security researcher Trevor Spiniolas discovered the vulnerability and publicly disclosed it on January 1st. According to Spiniolas, he informed Apple of the bug back in August. The company had reportedly planned to address the vulnerability before the end of 2021 but later delayed a fix to early 2022. “I believe this bug is being handled inappropriately as it poses a serious risk to users and many months have passed without a comprehensive fix,” Spiniolas said at the time.

Spiniolas found that the vulnerability is present within Apple’s mobile operating system as far back as iOS 14.7, but said he believes it exists in all versions of iOS 14. In other words, if you’ve been holding off on installing iOS 15, now is the time to update your Apple devices.

Update 01/13/22 12:45AM ET: We corrected a typo regarding Apple's timeline to address the vulnerability (thanks, Richard). 

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Popular on Engadget