Apple released iOS 15.2.1 on 13 January 2022 to patch a vulnerability found within the HomeKit protocol for linking different smart home devices.
The bug enabled hackers to cause iOS devices to crash continually by adjusting the name of a HomeKit-compatible device to be longer than 500,000 characters.
The vulnerability was identified by security researcher Trevor Spiniolas, who publicised his findings.
“When the name of a HomeKit device is changed to a large string (500,000 characters in testing), any device with an affected iOS version installed that loads the string will be disrupted, even after rebooting,” Spiniolas wrote.
He added that the bug would reoccur upon signing into the iCloud account to which the HomeKit device is linked, even after completing a restore.
Spiniolas explained that one of two scenarios would occur afterwards.
The first scenario relates to when the iOS user does not have Home Devices enabled in the control centre. Spiniolas explained that in this case, “the Home app will become completely unusable, crashing upon launch.”
The second scenario occurs when the iOS user has Home Devices enabled. Spiniolas said that the entire operating system becomes unresponsive in this case, and the device will reboot occasionally.
However, reboots do not correct the issue, and the device will remain unresponsive.
“At this point the user has effectively lost all local data as their device is unusable and cannot be backed up,” Spiniolas said.
Spiniolas added that restoring the device and signing back into the same iCloud account will trigger the bug again.
Apple has patched the bug in iOS 15.2.1, explaining that it had addressed a resource exhaustion issue with improved input validation.