iOS 15.2.1 and iPadOS 15.2.1 Address HomeKit Vulnerability

Apple today released iOS 15.2.1 and iPadOS 15.2.1, minor updates that include an important security fix for a known HomeKit vulnerability that was first discovered last year.

homekit showdown 2 thumb
According to Apple's security support document for the update, it addresses an issue that could cause a maliciously crafted ‌HomeKit‌ name to result in a denial of service, causing iPhones and iPads not to work.

Apple says that it was caused by a resource exhaustion issue that has now been addressed with improved input validation.


The ‌HomeKit‌ bug was first highlighted in January by Bleeping Computer after being discovered by Trevor Spiniolas. Called "doorLock," the vulnerability is executed by changing the name of a ‌HomeKit‌ device to something with over 500,000 characters.

Attempting to load such a large string of characters causes the iOS device to be sent into a denial of service state, and a forced reset is the only way to recover. Resetting the device results in a loss of data unless there is an available backup, and signing back into an affected iCloud account linked to the broken ‌HomeKit‌ device name can re-trigger the bug.

Apple partially fixed the bug in iOS 15.1 by limiting the length of the name that can be set for a ‌HomeKit‌ device or app, but it didn't entirely fix the issue because malicious people exploiting the vulnerability could use Home invitations rather than a device to trigger the attack.

Because this bug could result in data loss at worst and a device reset at best, it's worth updating to the iOS and iPadOS 15.2.1 updates right away.

Related Forum: iOS 15

Top Rated Comments

hackedmac Avatar
18 months ago
Does this fix the Snapshots not updating on the cameras?
Score: 8 Votes (Like | Disagree)
PBG4 Dude Avatar
18 months ago

Who really would have created a HomeKit device with a name over 500,000 characters? While it's possible, it's INCREDIBLY unlikely.
The problem isn’t that someone could name an object with >500K characters. The problem is Apple code is willing to accept inputs of this length, even when the field has not had the memory allocated to handle a 500K length string.
Score: 7 Votes (Like | Disagree)
Sydnxt Avatar
18 months ago
Wow, no release notes on the software update screen!
Score: 6 Votes (Like | Disagree)
d4cloo Avatar
18 months ago

I'm a heavy critic on how Apple developed HomeKit. I see I'm getting validated today.
I'm mostly annoyed by the user experience. I have a lot of smart equipment, and it's extremely cumbersome and frankly impossible to design a custom screen in Control Center that is laid out exactly according to my preferences.
Score: 6 Votes (Like | Disagree)
Macintosh TV Avatar
18 months ago
Who really would have created a HomeKit device with a name over 500,000 characters? While it's possible, it's INCREDIBLY unlikely.
Score: 5 Votes (Like | Disagree)
doboy Avatar
18 months ago
Seriously, people accept home invitations from randos? Haha.
Score: 4 Votes (Like | Disagree)

Popular Stories

google drive for desktop1

Google to Roll Out New 'Drive for Desktop' App in the Coming Weeks, Replacing Backup & Sync and Drive File Stream Clients

Tuesday July 13, 2021 1:18 am PDT by
Earlier this year, Google announced that it planned to unify its Drive File Stream and Backup and Sync apps into a single Google Drive for desktop app. The company now says the new sync client will roll out "in the coming weeks" and has released additional information about what users can expect from the transition. To recap, there are currently two desktop sync solutions for using Google...