Apple has recently released iOS and iPadOS 15.2.1 for both iPhone and iPad devices, which addresses a critical security vulnerability. According to the patch note, the latest firmware update includes a critical fix for an existing HomeKit protocol exploit that can be used by attackers for malicious purposes.
The exploit, which Apple credits its discovery to security researcher Trevor Spiniolas, allowed hackers to force an iPhone or iPad to repeatedly crash and freeze. This is achieved by changing the name of a HomeKit-compatible device to include more than 500,000 characters, which would trigger the bug. Furthermore, this could also potentially cause an endless crash loop as both iOS and iPadOS backs up HomeKit device names to iCloud, thus making recovery attempts impossible.
Spiniolas publicly disclosed his discovery on 1 January 2022, but mentioned that he initially informed Apple of the exploit back in August of last year. However, despite its awareness of the vulnerability, the company had reportedly planned to address it before the end of 2021, but was delayed until recently. The researcher added that the HomeKit exploit has been present within both of Apple’s mobile operating platforms since iOS 14.7, and may also exist in all versions of iOS 14.
iOS and iPadOS 15.2.1 can now be downloaded via the Software Update page under the Settings app. Apple notes that the firmware update is available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation).