HomeKit Vulnerability Allowed Remote Access to Smart Accessories Including Locks
A HomeKit vulnerability in the current version of iOS 11.2 has been demonstrated to 9to5Mac that allows unauthorized control of accessories including smart locks and garage door openers. Our understanding is Apple has rolled out a server-side fix that now prevent unauthorized access from occurring while limiting some functionality, and an update to iOS 11.2 coming next week will restore that full functionality.
[…]
The issue was not with smart home products individually but instead with the HomeKit framework itself that connects products from various companies.
[…]
I would also like to know — just like with the root security issue that affected the Mac last week — that the development process that led to this vulnerability shipping and the issue remaining live for weeks without users knowing is audited and changes are made if possible.
Update (2017-12-13): Lily Hay Newman:
And while Apple has earned a strong reputation for security, a string of significant vulnerabilities in macOS and iOS have strained Apple’s safety net—and led some security researchers and developers to question whether the issues are systemic.
[…]
“In my opinion, Apple’s desire to get all of its platforms—iOS, macOS, watchOS, and tvOS—on the same public relations, product management, and marketing-friendly annual release cycle is starting to take a toll,” says Pepijn Bruienne, a research and development engineer at Duo Security who focuses on Apple products.
The iOS 11.2.1 update addresses bugs and issues that have been discovered since the release of iOS 11.2.
According to Apple’s release notes, the update re-enables remote access for shared users of the Home app. Apple broke remote access for shared users when implementing a fix for a major HomeKit vulnerability last week.
Update (2017-12-18): Phil Schiller:
We just had a bad week. A couple of things happened, that’s all. The team is going to audit the systems and look carefully at the process and do some soul-searching, and do everything that they can to keep this from happening again.
[…] Previously: HomeKit Vulnerability Allowed Remote Access to Smart Accessories Including Locks. […]