A HomeKit vulnerability in the current version of iOS 11.2 has been shown to be 9to5Mac and allows unauthorized control of accessories, including smart locks and garage door openers . We understand that Apple has implemented a server-side fix that now prevents unauthorized access by limiting some functions, and an iOS 11.2 update that will take place next week will restore that full functionality.
9to5Mac Happy Hour
The vulnerability, which we will not describe in detail and was difficult to reproduce, allowed the unauthorized control of the accessories connected to HomeKit, including smart lights, thermostats and plugs.
The most serious ramification of this vulnerability before correction is the unauthorized remote control of smart locks and connected garage door openers, the first of which was demonstrated 9to5Mac .
The problem was not with smart home products individually but with the same HomeKit framework that connects products from several companies.
Users should not take any action today to solve the problem since the solution that is being implemented is that of the server. The future iOS update next week will solve any broken functionality.
The vulnerability required at least an iPhone or iPad in iOS 11.2, the latest version of Apple's mobile operating system, connected to the iCloud account of the HomeKit user; Previous versions of iOS were not affected.
We also understand that Apple was informed about this and the related vulnerabilities at the end of October, and some, but not all, problems were fixed as part of iOS 11.2 and watchOS 4.2 that were released this week. Other problems in this category were corrected on the server side of Apple, so the end users did not have to do anything.
Apple shared this claim with 9to5Mac with respect to the problem:
"The problem affecting users of HomeKit iOS 11.2 has been fixed, the solution temporarily disables remote access to shared users , which will be restored in a software update early next week. "
We believe that this vulnerability attracted to our attention has resulted in the preparation of the solution earlier than it would have been otherwise, and our readers deserve to know that vulnerability exists. The severity of this vulnerability also imposes a responsibility on 9to5Mac as a publication to share what we know with our audience if we will continue to cover HomeKit and smart home products.
Does this vulnerability release mean? Should not you trust HomeKit or smart home products in the future? The reality is that errors occur in the software. Always have and pending any progress in software development methods, it is likely that they will always do so. The same is true for physical hardware that may be defective and must be removed from the market. The difference is that the software can be repaired by air without a full recovery.
However, trusting HomeKit and smart home products with your safety will have to be a personal decision, as it always has been. Personally, once this vulnerability has been patched, I think I will feel comfortable trusting that HomeKit security solutions remain protected, but you can always use an old lock and key or install security cameras as a double measure.
I would also like to know, as with the root security issue that affected the Mac last week, that the development process that generated this shipping vulnerability and the problem that remains live for weeks without users knowing is audited and changes are made if possible.
The bottom line is that if a closer connected to HomeKit or a garage door opener can not protect their home, customers should not be given the opportunity to assess the risks associated with any known vulnerability.
The hope of publicizing this specific vulnerability is that we can have a significant impact in improving the security audit and quality assurance processes so that HomeKit can be a better solution in the future. and live up to its reputation as the safest smart home framework.