Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

MacRumors

macrumors bot
Original poster
Apr 12, 2001
52,095
13,710



A HomeKit vulnerability in iOS 11.2 that allowed unauthorized access to HomeKit accessories that included smart locks has been fixed by Apple, the company told 9to5Mac in a statement today.

homekit-800x485.jpg
"The issue affecting HomeKit users running iOS 11.2 has been fixed. The fix temporarily disables remote access to shared users, which will be restored in a software update early next week."
To patch the vulnerability, which was reportedly difficult to reproduce, Apple disabled remote access for shared users, something the company says will be reintroduced in a software update that's set to be released early next week.

Apple was able to address the vulnerability server side as it affected the HomeKit framework rather than individual HomeKit products. Though the vulnerability impacted all HomeKit devices, it is of particular interest to HomeKit users with smart locks and other HomeKit-enabled devices that allow access to the home, as someone able to exploit this kind of problem could gain entry to a dwelling without a physical key.

9to5Mac says that Apple was first informed about the security issue and other related HomeKit vulnerabilities in October. Some of the problems were addressed in iOS 11.2 and watchOS 4.2, while the rest were fixed server side. HomeKit setups with at least one connected iPhone or iPad running iOS 11.2 and signed into a HomeKit user's iCloud account were impacted.

Since its launch in 2014, HomeKit has seen many major improvements and its adoption has grown steadily. A wide range of manufacturers have embraced HomeKit, and there are HomeKit lights, outlets, switches, thermostats, window coverings, fans, sensors, cameras, locks, and garage door openers.

August, Friday, Koogeek, Kwikset, Schlage, and Yale all make HomeKit-enabled smart locks that can be controlled via Siri voice commands and HomeKit apps.

Article Link: Apple Fixed iOS 11.2 Vulnerability That Allowed Unauthorized Access to HomeKit Devices
 
  • Like
Reactions: macfacts

jclo

Editor
Staff member
Dec 7, 2012
1,731
3,526
California
Anyone have a link to an article that actually describes the vulnerability? The description here is rather vague in that it implies all HomeKit users were vulnerable but then Apple says the the problem was hard to reproduce.

It's actually 9to5Mac that said it was difficult to reproduce, fixed the wording there so it's not implying Apple said it. No additional information on the vulnerability has been provided, aside from the fact that it was an iOS 11.2 issue and affected devices running iOS 11.2 where a user had signed into iCloud.
 
Comment

mabhatter

macrumors 6502a
Jan 3, 2009
891
250
Sweet! The Gubermint really must want somebody. Presumably the minions of the secret lizard masters used this bug to break into someone’s house and then signed onto their Mac with Root privileges.

Nifty!
 
  • Like
Reactions: H3LL5P4WN
Comment

archvile

macrumors 6502
Oct 27, 2007
463
597
For some reason my Home app has a HUGE gap between the name of the Home at the top and the Favorite Scenes area, a gap of empty space big enough that it forces my favorite accessories to be cut off at the bottom of the screen... Anyone else see this?
 
Comment

cdavis11

macrumors 6502
Aug 31, 2009
289
65




August, Friday, Koogeek, Kwikset, Schlage, and Yale all make HomeKit-enabled smart locks that can be controlled via Siri voice commands and HomeKit apps.

Article Link: Apple Fixed iOS 11.2 Vulnerability That Allowed Unauthorized Access to HomeKit Devices

Good to know - I thought I was going to have to reset my home kit config this evening after my 3 schlage sense locks started reporting open/close actions again, even though I have them set to only report that status if neither my wife or I is home.

I guess i'd better turn notifications off until next week.
 
Comment

ideal.dreams

macrumors 68020
Jul 19, 2010
2,328
933
Ohio
Does Apple even have a quality assurance department at this point? The latest releases of iOS and macOS are downright embarrassing.

We share remote access in our family to access all of our HomeKit smart devices and now we're all unable to control our items until sometime next week. Absolutely ridiculous.
 
Comment

iamtheonlyone4ever

Suspended
May 27, 2016
334
174
it seems that this 2 words go together
apple vulnerability
this is the never ending story, they release updates that fixes the vulnerability that creates another vulnerability that require another patch , wow I can't believe what's happening lately, totally unacceptable

and this is not on iOS only Mac OS is having the same problem
so far in my opinion this the worse combination ever
iOS 11 , Mac OS high sierra
a plague of bugs
[doublepost=1512685132][/doublepost]
Another fix.. nice
a fix that fixes the problem but creates another problem that also needs to be fix
microsoft was good at this but it seems that apple wants to be better
:D
[doublepost=1512685297][/doublepost]
No. December BugFest™- billions of participants.
hosting the party
apple
 
Last edited:
Comment

Steve J0bs

macrumors 6502
Jul 30, 2008
253
73
I’ve been wondering why people added to my Home app couldn’t access the scenes and devices when on LTE. In addition to, this turns off location based automations if you have multiple people connected to home. Such as last person to leave house turning the lights off.
 
  • Like
Reactions: eastmanweb
Comment

cerote

macrumors 6502a
Mar 2, 2009
838
268
Slopping badly lately.

I started telling the relatives who I manage their stuff to hold off on updates longer. I generally give them a go on my devices before I tell them to update or do the updates for them. But lately I have to go from don't update to it needs that update to fix major issue a lot lately.
 
Comment

OldSchoolMacGuy

Suspended
Jul 10, 2008
4,197
9,049
Any other security issues we need to know about? One after another.

Do you have any HomeKit products that use shared users? If not then you have nothing to worry about. As it is, this wasn't a vulnerability that was made public so the chances anyone exploited it are incredibly slim.
 
Comment

mr_vinjah

macrumors newbie
Apr 28, 2016
10
13
SF, CA
Good to know - I thought I was going to have to reset my home kit config this evening after my 3 schlage sense locks started reporting open/close actions again, even though I have them set to only report that status if neither my wife or I is home.

I guess i'd better turn notifications off until next week.

I have a Sense and didn't realize you could have notifications stopped if you were geofenced within your home. Is that an iOS feature or within the Schlage app? I didn't know this was possible and would appreciate any info on that. Thanks!
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.