iOS 15.2.1 fixes critical flaw — update your iPhone now
A nasty HomeKit bug affects iPads as well, so get updating
Update: Apple has release iOS 15.3.1 to fix a different problem with WebKit.
If you have a recent iPhone or iPad then you’ll want to update it to the newly released iOS 15.2.1 and iPadOS 15.2.1, as this update fixes a nasty security flaw that could send your iPhone into a reboot spiral of death.
This bug was discovered by security researcher Trevor Spiniolas at the start of January and involved Apple’s HomeKit service, which provides the software interface between iPhones and iPads and some of the best smart home devices.
The vulnerability could allow hackers to set up a HomeKit compatible device with a very long name, some 500,000 characters in length, which would then trigger an iOS or iPadOS device to repeatedly crash when trying to connect to it.
This denial of service attack would need to entice users to connect to a compromised HomeKit device, but curiosity when setting up smart home devices and the range at which they can be connected to spanning apartments or buildings, could make this a distinct possibility. However, the likely vector of attack would be a hacker using the Apple Home app to send an invite to targeted users asking them to join their ‘Home’ and thus be exposed to a network with a compromised HomeKit device.
What’s more, as iOS and iPadOS backup HomeKit device names to iCloud, it could trigger affected iPhones and iPads to suffer from an endless loop of crashes. And rebooting or updating an affected iPhone or iPad won’t fix the problem either, with any attempt to backup from previously used iCloud data also triggering the crash cycle.
Ultimately, a factory reset would be needed and thus result in data loss; Spiniolas suggested this bug could be used by hackers to perform ransomware attacks, forcing victims to part with money or lose access to their iOS or iPadOS data.
Sign up now to get the best Black Friday deals!
Discover the hottest deals, best product picks and the latest tech news from our experts at Tom’s Guide.
But with iOS and iPadOS 15.2.1, the ability to put in excessively long HomeKit device names has been curtailed, and thus the bug has been squashed. So if you’ve yet to do it, we very much recommend you update to the latest version of iOS and iPadOS, as device running versions dating back to iOS 14.7 are vulnerable to this exploit.
And as ever, we suggest being cautious about the networks you connect your devices to. If an unknown user or device asks for permission to connect to your phone, tablet or laptop, then make sure you know it’s not malicious. We’d advise treating such situations with extreme caution until you know you’re connected to a trusted device or network.
Roland Moore-Colyer a Managing Editor at Tom’s Guide with a focus on news, features and opinion articles. He often writes about gaming, phones, laptops and other bits of hardware; he’s also got an interest in cars. When not at his desk Roland can be found wandering around London, often with a look of curiosity on his face.