Apple today released iOS 15.2.1 and iPadOS 15.2.1, minor updates that include an important security fix for a known HomeKit vulnerability that was first discovered last year.
According to Apple's security support document for the update, it addresses an issue that could cause a maliciously crafted HomeKit name to result in a denial of service, causing iPhones and iPads not to work.
Apple says that it was caused by a resource exhaustion issue that has now been addressed with improved input validation.
The HomeKit bug was first highlighted in January by Bleeping Computer after being discovered by Trevor Spiniolas. Called "doorLock," the vulnerability is executed by changing the name of a HomeKit device to something with over 500,000 characters.
Attempting to load such a large string of characters causes the iOS device to be sent into a denial of service state, and a forced reset is the only way to recover. Resetting the device results in a loss of data unless there is an available backup, and signing back into an affected iCloud account linked to the broken HomeKit device name can re-trigger the bug.
Apple partially fixed the bug in iOS 15.1 by limiting the length of the name that can be set for a HomeKit device or app, but it didn't entirely fix the issue because malicious people exploiting the vulnerability could use Home invitations rather than a device to trigger the attack.
Because this bug could result in data loss at worst and a device reset at best, it's worth updating to the iOS and iPadOS 15.2.1 updates right away.
