Skip to content
Thoughtful, detailed coverage of everything Apple for 31 years
and the TidBITS Content Network for Apple professionals
10 comments

iOS 15.2.1 and iPadOS 15.2.1 Fix Messages Bug and HomeKit Vulnerability

Apple has released iOS 15.2.1 and iPadOS 15.2.1 updates, with just a couple of bug fixes:

  • Messages not loading photos sent using iCloud Link
  • Third-party CarPlay apps not responding to inputiOS 15.2.1 release notes

The more interesting change appears in the security notes. There’s a single security fix for a nasty HomeKit vulnerability, in which a maliciously crafted HomeKit accessory name (containing some 500,000 characters) could cause iOS and iPadOS devices that loaded it to be disrupted, even after rebooting—the only solution was to reset and restore the device. Security researcher Trevor Spinolas reported the bug to Apple way back in August 2021. Unusual though the vulnerability may be, it’s distressing that it took Apple as long as it did to acknowledge and fix the bug—Apple only benefits by treating security researchers well.

If you use HomeKit or have been affected by the Messages or CarPlay bugs, you should update right away. Otherwise, we recommend waiting a few days to see if any issues crop up.

You can install the iOS 15.2.1 update (804.8 MB on an iPhone 11 Pro) and the iPadOS 15.2.1 update (676.6 MB on a 2020 iPad) in Settings > General > Software Update.

Subscribe today so you don’t miss any TidBITS articles!

Every week you’ll get tech tips, in-depth reviews, and insightful news analysis for discerning Apple users. For over 31 years, we’ve published professional, member-supported tech journalism that makes you smarter.

Registration confirmation will be emailed to you.

Comments About iOS 15.2.1 and iPadOS 15.2.1 Fix Messages Bug and HomeKit Vulnerability

Notable Replies

  1. Installed this update too. I was hoping it would also solve the messages notification problem but it did not. Many messages users are complaining about the notification problem and Apple has done absolutely nothing about it.

    Messages when received on an IPhone do not give a sound or banner or visual notification. You have to check yourself to see if you have any new messages.

  2. Interesting. I don’t get that much in Messages, but I do feel like I’ve been missing notifications for some things of late. Perhaps it’s related to what you’re talking about. I’ll have to pay attention more…

  3. Let’s step back a bit before reacting in horror that Apple didn’t patch the HomeKit vulnerability sooner. As I read it, it’s more a bug (denial of service) than a data vulnerability issue IMO as it didn’t seem to cause malware to be installed and your data to be stolen.

    I would hope that Apple did an assessment of this report and decided that while it needed to be fixed, it was at a lower priority as it wasn’t a zero day that was a target for malware installation or very very unlikely to happen.

    What’s annoying is that the reporter of the bug was told when Apple was going to have a fix for it but seemed to have a fit because it didn’t get fixed when he wanted it to. He’s portraying it as Apple foot dragging and ignoring the issue, but you are not hearing Apple’s side of things. Could it in reality be that in the grand scheme of things it wasn’t as important (hurt egos come to mind here).

  4. I agree that the bug itself is not particularly likely to be exploited. It’s more that Apple is doing a poor job of treating security researchers with respect. (This is just the latest example.) If they had worked this fix in earlier, the guy wouldn’t have gone public with it and made them look bad.

  5. Still have issue with Carplay since 15.2 that it no longer defaults to song display but library. I know there is some updates to the Infocenter (Automaker Mazda has firmware updates…atleast 2 since I got the vehicle…waiting to get scheduled). 15.2.1 didn’t resolve.

  6. I know this is a Messages bug fix, but has anyone had issues with phone notifications? I’ve had a number of times where I’m not receiving notifications for quite awhile after the call. This morning I saw the phone notification but the VM one didn’t come in until I got another call and it was time-stamped 20 minutes earlier. Not sure if it’s a phone or carrier (Verizon) thing.

    Diane

  7. I guess we have different views on who looks bad here. It this was an unpatched zero-day that allows the device to be infiltrated, then I agree that Apple looks bad. Otherwise it looks like whining.
    I have no idea what communication went on between the researcher and Apple. I am inferring some things based on what was reported. I do agree with you that it has to be a two way street.
    And by “respect for security researchers”, would you happen to mean “bounty”, since it appears that Apple is not as generous in that regard as other companies?

  8. The bounties are some of it, but in reports from security researchers who are unhappy, it largely comes down to Apple being slow to respond, both to communications and in fixing the problems or providing guidance as to when they might be fixed. If Apple isn’t sufficiently rewarding to work with, researchers will either stop looking for vulnerabilities or may even start selling them to the bad guys.

    It just seems like common decency—if someone is reporting problems to you for fixing, treat them well.

  9. I agree with you more and more after reading some later postings about the situation. Apple does need to step up its game dealing with security researchers.

Join the discussion in the TidBITS Discourse forum

Participants