iOS 15.2.1 is released with critical HomeKit security fix
Wednesday January 12, 2022. 08:31 PM , from Macworld Reviews
If you’re already using iOS 15.2 (or iPadOS 15.2), it’s probably a good idea to grab the new 15.2.1 update. Released on Wednesday, it fixes a couple of minor issues with Messages and CarPlay and a more serious security issue with HomeKit.
The Messages fix is simple–some photos sent using an iCloud link would sometimes not load. The CarPlay fix applies to third-party apps that sometimes would not respond to input, which is definitely not ideal when you’re driving.
But it’s the HomeKit fix that is really important here. Security researcher Trevor Spiniolas found that if someone were to make the name of a HomeKit device really long (hundreds of thousands of characters) then your iPhone or iPad will crash when it tries to parse the name.
If there is such a maliciously-named HomeKit device in your Home, then the Home app will become completely unusable. What’s worse, if you have any HomeKit devices in Control Center (the default for most users), the entire device will lock up and become unresponsive in a very short time. And rebooting or restoring the device won’t fix it–you’ll be stuck in this loop.
It’s not clear exactly how iOS 15.2.1 fixes the issue, but the update shuts down the ability for a hacker to exploit it. Here are Apple release notes for iOS 15.2.1:
Messages may not load photos sent using an iCloud LinkThird-party CarPlay apps may not respond to inputHomeKit
Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation)Impact: Processing a maliciously crafted HomeKit accessory name may cause a denial of serviceDescription: A resource exhaustion issue was addressed with improved input validation.CVE-2022-22588: Trevor Spiniolas (@TrevorSpiniolas)To get the update, open Settings, then tap General, Software Update, and Download and Install.
May, Tue 17 - 13:10 CEST