Apple patches HomeKit denial-of-service bug with new iOS update

  News, Rassegna Stampa
image_pdfimage_print

On Wednesday, Apple released the 15.2.1 version of iOS, a minor update to the mobile operating system that fixes bugs, including a denial-of-service vulnerability previously reported by The Verge.

The 15.2.1 patch addresses a vulnerability triggered through HomeKit, the software API for connecting smart home devices to iOS applications. If the vulnerability was exploited, HomeKit devices labeled with a very long name would cause iPhones and iPads to endlessly freeze, crash, and reboot.

Since HomeKit device names are backed up to iCloud, signing in to the same iCloud account with a restored device would trigger the crash again.

Apple’s security notification for the 15.2.1 update lists only one change, a fix for the HomeKit vulnerability. Details of the fix state that a “resource exhaustion issue was addressed with improved input validation,” presumably to prevent long HomeKit device names from being read into memory by iOS devices.

Besides security updates, the patch also fixed a bug that impacted performance of third-party CarPlay apps and another that prevented the Messages app from loading certain photos sent via iCloud. Users can update iOS by opening the Settings app on a device and tapping “General,” then selecting “Software Update.”

The HomeKit bug was discovered by security researcher Trevor Spiniolas, who published details on his blog on January 1st. At the time, Spiniolas accused Apple of being slow to respond to his initial disclosure, which was made in August 2021.

According to Spiniolas’ blog, the bug affects iOS versions at least as far back as 14.7 and likely before, meaning these devices are still vulnerable. Owners of iPhones or iPads should update their devices as soon as possible to benefit from the new update.

https://www.theverge.com/2022/1/12/22880493/apple-15-2-1-patch-ios-homekit-denial-of-service-vulnerability-fix