Update: Apple has release iOS 15.3.1 to fix a different problem with WebKit.
If you have a recent iPhone or iPad then you’ll want to update it to the newly released iOS 15.2.1 and iPadOS 15.2.1, as this update fixes a nasty security flaw that could send your iPhone into a reboot spiral of death.
This bug was discovered by security researcher Trevor Spiniolas at the start of January and involved Apple’s HomeKit service, which provides the software interface between iPhones and iPads and some of the best smart home devices.
The vulnerability could allow hackers to set up a HomeKit compatible device with a very long name, some 500,000 characters in length, which would then trigger an iOS or iPadOS device to repeatedly crash when trying to connect to it.
This denial of service attack would need to entice users to connect to a compromised HomeKit device, but curiosity when setting up smart home devices and the range at which they can be connected to spanning apartments or buildings, could make this a distinct possibility. However, the likely vector of attack would be a hacker using the Apple Home app to send an invite to targeted users asking them to join their ‘Home’ and thus be exposed to a network with a compromised HomeKit device.
What’s more, as iOS and iPadOS backup HomeKit device names to iCloud, it could trigger affected iPhones and iPads to suffer from an endless loop of crashes. And rebooting or updating an affected iPhone or iPad won’t fix the problem either, with any attempt to backup from previously used iCloud data also triggering the crash cycle.
Ultimately, a factory reset would be needed and thus result in data loss; Spiniolas suggested this bug could be used by hackers to perform ransomware attacks, forcing victims to part with money or lose access to their iOS or iPadOS data.
But with iOS and iPadOS 15.2.1, the ability to put in excessively long HomeKit device names has been curtailed, and thus the bug has been squashed. So if you’ve yet to do it, we very much recommend you update to the latest version of iOS and iPadOS, as device running versions dating back to iOS 14.7 are vulnerable to this exploit.
And as ever, we suggest being cautious about the networks you connect your devices to. If an unknown user or device asks for permission to connect to your phone, tablet or laptop, then make sure you know it’s not malicious. We’d advise treating such situations with extreme caution until you know you’re connected to a trusted device or network.
