Apple Fixed iOS 11.2 Vulnerability That Allowed Unauthorized Access to HomeKit Devices

Discussion in ' News Discussion' started by MacRumors, Dec 7, 2017.

  1. MacRumors macrumors bot


    Apr 12, 2001

    A HomeKit vulnerability in iOS 11.2 that allowed unauthorized access to HomeKit accessories that included smart locks has been fixed by Apple, the company told 9to5Mac in a statement today.

    To patch the vulnerability, which was reportedly difficult to reproduce, Apple disabled remote access for shared users, something the company says will be reintroduced in a software update that's set to be released early next week.

    Apple was able to address the vulnerability server side as it affected the HomeKit framework rather than individual HomeKit products. Though the vulnerability impacted all HomeKit devices, it is of particular interest to HomeKit users with smart locks and other HomeKit-enabled devices that allow access to the home, as someone able to exploit this kind of problem could gain entry to a dwelling without a physical key.

    9to5Mac says that Apple was first informed about the security issue and other related HomeKit vulnerabilities in October. Some of the problems were addressed in iOS 11.2 and watchOS 4.2, while the rest were fixed server side. HomeKit setups with at least one connected iPhone or iPad running iOS 11.2 and signed into a HomeKit user's iCloud account were impacted.

    Since its launch in 2014, HomeKit has seen many major improvements and its adoption has grown steadily. A wide range of manufacturers have embraced HomeKit, and there are HomeKit lights, outlets, switches, thermostats, window coverings, fans, sensors, cameras, locks, and garage door openers.

    August, Friday, Koogeek, Kwikset, Schlage, and Yale all make HomeKit-enabled smart locks that can be controlled via Siri voice commands and HomeKit apps.

    Article Link: Apple Fixed iOS 11.2 Vulnerability That Allowed Unauthorized Access to HomeKit Devices
  2. imran5720 macrumors regular


    Dec 21, 2013
  3. mainomega macrumors 6502

    Jun 5, 2007
  4. macbeta macrumors regular


    Nov 13, 2009
    After all the fuss about 3rd party developers being secure!
  5. Duane Martin macrumors 6502

    Duane Martin

    Oct 15, 2004
    Calgary, Alberta
    Anyone have a link to an article that actually describes the vulnerability? The description here is rather vague in that it implies all HomeKit users were vulnerable but then Apple says the the problem was hard to reproduce.
  6. btrach144 macrumors 68000


    Aug 28, 2015
    I thought the whole point of HomeKit was it was supposed to be secure? (Nothing is ever 100% secure but it’s what Apple touted) #fail
  7. Wackery macrumors 6502a

    Feb 1, 2015
  8. jclo Editor


    Staff Member

    Dec 7, 2012
    It's actually 9to5Mac that said it was difficult to reproduce, fixed the wording there so it's not implying Apple said it. No additional information on the vulnerability has been provided, aside from the fact that it was an iOS 11.2 issue and affected devices running iOS 11.2 where a user had signed into iCloud.
  9. Westside guy, Dec 7, 2017
    Last edited: Dec 7, 2017

    Westside guy macrumors 603

    Westside guy

    Oct 15, 2003
    The soggy side of the Pacific NW
    It still does - just maybe not the same one you're referring to.
  10. Bacillus Suspended


    Jun 25, 2009
    Did it take them from October to now to reproduce it or to find a Homekit installation of relevance ?
  11. MacFather macrumors 6502a


    Mar 16, 2012
    I miss Forstall.
  12. questionmark32 macrumors regular

    Sep 23, 2013
    It's not like they're not fixing their issues.
  13. Bacillus, Dec 7, 2017
    Last edited: Dec 7, 2017

    Bacillus Suspended


    Jun 25, 2009
    No. December BugFest™- billions of participants.
  14. mariusignorello macrumors 68000

    Jun 9, 2013
    Any other security issues we need to know about? One after another.
  15. mabhatter macrumors 6502a

    Jan 3, 2009
    Sweet! The Gubermint really must want somebody. Presumably the minions of the secret lizard masters used this bug to break into someone’s house and then signed onto their Mac with Root privileges.

  16. archvile macrumors 6502


    Oct 27, 2007
    For some reason my Home app has a HUGE gap between the name of the Home at the top and the Favorite Scenes area, a gap of empty space big enough that it forces my favorite accessories to be cut off at the bottom of the screen... Anyone else see this?
  17. cdavis11 macrumors 6502

    Aug 31, 2009
    Good to know - I thought I was going to have to reset my home kit config this evening after my 3 schlage sense locks started reporting open/close actions again, even though I have them set to only report that status if neither my wife or I is home.

    I guess i'd better turn notifications off until next week.
  18. ideal.dreams macrumors 68020


    Jul 19, 2010
    Does Apple even have a quality assurance department at this point? The latest releases of iOS and macOS are downright embarrassing.

    We share remote access in our family to access all of our HomeKit smart devices and now we're all unable to control our items until sometime next week. Absolutely ridiculous.
  19. iamtheonlyone4ever, Dec 7, 2017
    Last edited: Dec 7, 2017

    iamtheonlyone4ever Suspended


    May 27, 2016
    it seems that this 2 words go together
    apple vulnerability
    this is the never ending story, they release updates that fixes the vulnerability that creates another vulnerability that require another patch , wow I can't believe what's happening lately, totally unacceptable

    and this is not on iOS only Mac OS is having the same problem
    so far in my opinion this the worse combination ever
    iOS 11 , Mac OS high sierra
    a plague of bugs
    --- Post Merged, Dec 7, 2017 ---
    a fix that fixes the problem but creates another problem that also needs to be fix
    microsoft was good at this but it seems that apple wants to be better
    --- Post Merged, Dec 7, 2017 ---
    hosting the party
  20. Steve J0bs macrumors regular

    Jul 30, 2008
    I’ve been wondering why people added to my Home app couldn’t access the scenes and devices when on LTE. In addition to, this turns off location based automations if you have multiple people connected to home. Such as last person to leave house turning the lights off.
  21. cerote macrumors 6502a


    Mar 2, 2009
    Slopping badly lately.

    I started telling the relatives who I manage their stuff to hold off on updates longer. I generally give them a go on my devices before I tell them to update or do the updates for them. But lately I have to go from don't update to it needs that update to fix major issue a lot lately.
  22. OldSchoolMacGuy Suspended


    Jul 10, 2008
    Do you have any HomeKit products that use shared users? If not then you have nothing to worry about. As it is, this wasn't a vulnerability that was made public so the chances anyone exploited it are incredibly slim.
  23. iLoveDeveloping macrumors 6502

    Sep 24, 2009
  24. mr_vinjah macrumors newbie

    Apr 28, 2016
    SF, CA
    I have a Sense and didn't realize you could have notifications stopped if you were geofenced within your home. Is that an iOS feature or within the Schlage app? I didn't know this was possible and would appreciate any info on that. Thanks!
  25. Glideslope macrumors 603


    Dec 7, 2007
    A quiet place in NY.
    It still does. It’s simply switched direction. :apple:

Share This Page

112 December 7, 2017