Wednesday, December 20, 2017

Explanation of HomeKit Vulnerability

Khaos Tian (tweet):

HomeKit didn’t check the sender of remote message before processing the request, which ended up allowing potentially anyone to remotely control HomeKit accessories in the home.


Of all the messages you can send to HomeKit daemon, there are some really interesting ones. There is one message that will let HomeKit on watchOS to reply with a list of home identifiers, along with the public and private key that used to encrypt home data and communicate with accessories to the sender. Once an attacker got the reply, it’s game over for HomeKit. With pairing identity and private key, the attacker can trick HomeKit into thinking him as the owner of the home, even after Apple fixed the messaging issue.


Those message mishandling issues were discovered back in late October, and was disclosed to Apple’s product security team the next day I found it (Oct 28). I got ONE email (on October 30) from Apple’s product security team saying they are investigating it through the entire November. During that time, I sent multiple emails (Oct 31, Nov 2, and Nov 16. Additionally there was one sent to Federighi on Nov 27.) to try to ensure the engineering team understood the issue but no reply at all. I observed that Apple deployed the watchOS server fix so I assumed they just being typical Apple not replying people (hello radar 🙃), so I thought the engineering team should have sufficient understanding of the issue and hoped they properly fixed the issue with iOS 11.2. But then iOS 11.2 officially released, while they did fix some issues in my report, they didn’t do a full security audit to ensure all messages are being handled properly, and instead they introduced a new message which makes the whole attack a lot easier 🤦.


So I ended up reaching out to friend at 9to5mac and turned out Apple PR channel is much more responsive than product security, from them reaching out Apple PR to Apple come up with a temporary fix all happened with 48 hours. No wonder nowadays people just throw security issues on Twitter right? What a world we live in.

Khaos Tian:

They declined my request to get an invitation to join their bounty program since they think me involving the press to have them fix the issue voided the qualification for the invitation ¯\_(ツ)_/¯ We’ll see how it goes.

Previously: HomeKit Vulnerability Allowed Remote Access to Smart Accessories Including Locks.

Comments RSS · Twitter

Leave a Comment