Zero-day iOS HomeKit vulnerability allowed remote access to smart accessories including locks, fix rolling out
A HomeKit vulnerability in the current version of iOS 11.2 has been demonstrated that allows unauthorized control of accessories including smart locks and garage door openers. Our understanding is Apple has rolled out a server-side fix that now prevent unauthorized access from occurring while limiting some functionality, and an update to iOS 11.2 coming next week will restore that full functionality.
The vulnerability, which we won’t describe in detail and was difficult to reproduce, allowed unauthorized control of HomeKit-connected accessories including smart lights, thermostats, and plugs.
The most serious ramification of this vulnerability prior to the fix is unauthorized remote control of smart locks and connected garage door openers, the former of which was demonstrated.
The issue was not with smart home products individually but instead with the HomeKit framework itself that connects products from various companies.
Users need to take no action today to resolve the issue as the fix that is rolling out is server-side. The future update to iOS coming next week will resolve any broken functionality.
The vulnerability required at least one iPhone or iPad on iOS 11.2, the latest version of Apple’s mobile operating system, connected to the HomeKit user’s iCloud account; earlier versions of iOS were not affected.
We also understand that Apple was informed about this and related vulnerabilities in late October, and some but not all issues were fixed as part of iOS 11.2 and watchOS 4.2 which were released this week. Other issues in this category were fixed server-side from Apple so end users needed to take no action.
Apple shared this statement regarding the issue:
“The issue affecting HomeKit users running iOS 11.2 has been fixed. The fix temporarily disables remote access to shared users, which will be restored in a software update early next week.”
We believe this vulnerability being brought to our attention has resulted in the solution being readied sooner than it otherwise would have been, and our readers deserve to know that the vulnerability existed.
Does this vulnerability shipping mean you shouldn’t trust HomeKit or smart home products going forward? The reality is bugs in software happen. They always have and pending any breakthrough in software development methods, they likely always will. The same is true for physical hardware which can be flawed and need to be recalled. The difference is software can be fixed over-the-air without a full recall.
Trusting HomeKit and smart home products with your security, however, will have to be a personal decision now just like it always has. Personally, once this vulnerability has been patched, I believe I’ll be comfortable with trusting HomeKit security solutions to remain protected, but you can always use an old fashioned lock and key or install security cameras as a double measure.