Apple HomeKit security flaw left smart home locks open to attack
iOS 11.2 bug gave third-party access to smart home door locks, lights and more
Another week, another Apple vulnerability receives an emergency patch. This time a flaw in Apple's smart home control system, HomeKit, is leaving internet-connected door locks, garage door openers, lights and other gadgets open to attack.
The vulnerability was only present in the latest build of iOS for the iPhone and iPad — version 11.2 — and has now been temporarily fixed with a server-side update by Apple. A permanent fix will arrive with the next iOS update later this month.
First reported by 9to5Mac, which was given a demonstration of how smart locks could be attacked, the bug allowed unauthorized remote control of smart home devices, like locks and door openers. Clearly, in the wrong hands such a flaw would put a household at risk of burglary.
This was not an issue with any individual smart home device, but with how HomeKit communicated with Apple's servers. The flaw was shut down when Apple made changes to the operation of its HomeKit servers, which has reduced functionality for now - this will be restored with the next iOS update.
HomeKit lets users control light, locks and more from an iOS deviceApple
Although reportedly difficult to exploit, the bug, coming from high profile smart home system Apple HomeKit, gives consumers yet another reason to be cautious about connecting crucial hardware like door locks to the internet. Hacking into a smart lighting system and playing a prank is one thing. But the possibility of a someone remotely unlocking doors and garages — who is not meant to — is something far more serious.
The website is vague about how the attack worked, but says: "The vulnerability required at least one iPhone or iPad on iOS 11.2, the latest version of Apple's mobile operating system, connected to the HomeKit user's iCloud account; earlier versions of iOS were not affected."
Needing access to the victim's iCloud account already puts any potential attacker on the back foot. But such attacks have proved to be successful in the past, by stealing passwords and taking advantage of the victim not using two factor authentication.
Apple was made aware of the flaw back in October and worked with those who found it to create a fix. However, this update was not ready in time for iOS 11.2 and watchOS 4.2 — both of which arrived in early December.
Apple said in a statement released to the press: "The issue affected HomeKit users running iOS 11.2 has been fixed. The fix temporarily disables remote access to shared users, which will be restored in a software update early next week."