Apple Fixed iOS 11.2 Vulnerability That Allowed Unauthorized Access to HomeKit Devices

[MacRumors]

A HomeKit vulnerability in iOS 11.2 that allowed unauthorized access to HomeKit accessories that included smart locks has been fixed by Apple, the company told 9to5Mac in a statement today.

"The issue affecting HomeKit users running iOS 11.2 has been fixed. The fix temporarily disables remote access to shared users, which will be restored in a software update early next week."

To patch the vulnerability, which was reportedly difficult to reproduce, Apple disabled remote access for shared users, something the company says will be reintroduced in a software update that's set to be released early next week.

Apple was able to address the vulnerability server side as it affected the HomeKit framework rather than individual HomeKit products. Though the vulnerability impacted all HomeKit devices, it is of particular interest to HomeKit users with smart locks and other HomeKit-enabled devices that allow access to the home, as someone able to exploit this kind of problem could gain entry to a dwelling without a physical key.

9to5Mac says that Apple was first informed about the security issue and other related HomeKit vulnerabilities in October. Some of the problems were addressed in iOS 11.2 and watchOS 4.2, while the rest were fixed server side. HomeKit setups with at least one connected iPhone or iPad running iOS 11.2 and signed into a HomeKit user's iCloud account were impacted.

Since its launch in 2014, HomeKit has seen many major improvements and its adoption has grown steadily. A wide range of manufacturers have embraced HomeKit, and there are HomeKit lights, outlets, switches, thermostats, window coverings, fans, sensors, cameras, locks, and garage door openers.

August, Friday, Koogeek, Kwikset, Schlage, and Yale all make HomeKit-enabled smart locks that can be controlled via Siri voice commands and HomeKit apps.

Article Link: Apple Fixed iOS 11.2 Vulnerability That Allowed Unauthorized Access to HomeKit Devices

 

[imran5720]

Another fix.. nice

 

[mainomega]

Homebridge better be working when I get home...

 

[macbeta]

After all the fuss about 3rd party developers being secure!

 

[Duane Martin]

Anyone have a link to an article that actually describes the vulnerability? The description here is rather vague in that it implies all HomeKit users were vulnerable but then Apple says the the problem was hard to reproduce.

 

[btrach144]

I thought the whole point of HomeKit was it was supposed to be secure? (Nothing is ever 100% secure but it’s what Apple touted) #fail

 

[Wackery]

apple software used to have a reputation

 

[jclo]

Anyone have a link to an article that actually describes the vulnerability? The description here is rather vague in that it implies all HomeKit users were vulnerable but then Apple says the the problem was hard to reproduce.

It's actually 9to5Mac that said it was difficult to reproduce, fixed the wording there so it's not implying Apple said it. No additional information on the vulnerability has been provided, aside from the fact that it was an iOS 11.2 issue and affected devices running iOS 11.2 where a user had signed into iCloud.

 

[Westside guy]

apple software used to have a reputation

It still does - just maybe not the same one you're referring to.

 

[Bacillus]

Did it take them from October to now to reproduce it or to find a Homekit installation of relevance ?

 

[MacFather]

Deleted.

 

[questionmark32]

It's not like they're not fixing their issues.

 

[Bacillus]

It's not like they're not fixing their issues.

No. December BugFest™- billions of participants.

 

[mariusignorello]

Any other security issues we need to know about? One after another.

 

[mabhatter]

Sweet! The Gubermint really must want somebody. Presumably the minions of the secret lizard masters used this bug to break into someone’s house and then signed onto their Mac with Root privileges.

Nifty!

 

[archvile]

For some reason my Home app has a HUGE gap between the name of the Home at the top and the Favorite Scenes area, a gap of empty space big enough that it forces my favorite accessories to be cut off at the bottom of the screen... Anyone else see this?

 

[cdavis11]

August, Friday, Koogeek, Kwikset, Schlage, and Yale all make HomeKit-enabled smart locks that can be controlled via Siri voice commands and HomeKit apps.

Article Link: Apple Fixed iOS 11.2 Vulnerability That Allowed Unauthorized Access to HomeKit Devices

Good to know - I thought I was going to have to reset my home kit config this evening after my 3 schlage sense locks started reporting open/close actions again, even though I have them set to only report that status if neither my wife or I is home.

I guess i'd better turn notifications off until next week.

 

[ideal.dreams]

Does Apple even have a quality assurance department at this point? The latest releases of iOS and macOS are downright embarrassing.

We share remote access in our family to access all of our HomeKit smart devices and now we're all unable to control our items until sometime next week. Absolutely ridiculous.

 

[iamtheonlyone4ever]

it seems that this 2 words go together
apple vulnerability
this is the never ending story, they release updates that fixes the vulnerability that creates another vulnerability that require another patch , wow I can't believe what's happening lately, totally unacceptable

and this is not on iOS only Mac OS is having the same problem
so far in my opinion this the worse combination ever
iOS 11 , Mac OS high sierra
a plague of bugs
[doublepost=1512685132][/doublepost]

Another fix.. nice

a fix that fixes the problem but creates another problem that also needs to be fix
microsoft was good at this but it seems that apple wants to be better

[doublepost=1512685297][/doublepost]

No. December BugFest™- billions of participants.

hosting the party
apple

 

[Steve J0bs]

I’ve been wondering why people added to my Home app couldn’t access the scenes and devices when on LTE. In addition to, this turns off location based automations if you have multiple people connected to home. Such as last person to leave house turning the lights off.

 

[cerote]

Slopping badly lately.

I started telling the relatives who I manage their stuff to hold off on updates longer. I generally give them a go on my devices before I tell them to update or do the updates for them. But lately I have to go from don't update to it needs that update to fix major issue a lot lately.

 

[OldSchoolMacGuy]

Any other security issues we need to know about? One after another.

Do you have any HomeKit products that use shared users? If not then you have nothing to worry about. As it is, this wasn't a vulnerability that was made public so the chances anyone exploited it are incredibly slim.

 

[iLoveDeveloping]

IT JUST WORKS.


Makes me sick!

 

[mr_vinjah]

Good to know - I thought I was going to have to reset my home kit config this evening after my 3 schlage sense locks started reporting open/close actions again, even though I have them set to only report that status if neither my wife or I is home.

I guess i'd better turn notifications off until next week.

I have a Sense and didn't realize you could have notifications stopped if you were geofenced within your home. Is that an iOS feature or within the Schlage app? I didn't know this was possible and would appreciate any info on that. Thanks!

 

[Glideslope]

apple software used to have a reputation

It still does. It’s simply switched direction.