Apple Fixed iOS 11.2 Vulnerability That Allowed Unauthorized Access to HomeKit Devices

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Dec 7, 2017.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    A HomeKit vulnerability in iOS 11.2 that allowed unauthorized access to HomeKit accessories that included smart locks has been fixed by Apple, the company told 9to5Mac in a statement today.

    [​IMG]
    To patch the vulnerability, which was reportedly difficult to reproduce, Apple disabled remote access for shared users, something the company says will be reintroduced in a software update that's set to be released early next week.

    Apple was able to address the vulnerability server side as it affected the HomeKit framework rather than individual HomeKit products. Though the vulnerability impacted all HomeKit devices, it is of particular interest to HomeKit users with smart locks and other HomeKit-enabled devices that allow access to the home, as someone able to exploit this kind of problem could gain entry to a dwelling without a physical key.

    9to5Mac says that Apple was first informed about the security issue and other related HomeKit vulnerabilities in October. Some of the problems were addressed in iOS 11.2 and watchOS 4.2, while the rest were fixed server side. HomeKit setups with at least one connected iPhone or iPad running iOS 11.2 and signed into a HomeKit user's iCloud account were impacted.

    Since its launch in 2014, HomeKit has seen many major improvements and its adoption has grown steadily. A wide range of manufacturers have embraced HomeKit, and there are HomeKit lights, outlets, switches, thermostats, window coverings, fans, sensors, cameras, locks, and garage door openers.

    August, Friday, Koogeek, Kwikset, Schlage, and Yale all make HomeKit-enabled smart locks that can be controlled via Siri voice commands and HomeKit apps.

    Article Link: Apple Fixed iOS 11.2 Vulnerability That Allowed Unauthorized Access to HomeKit Devices
     
  2. imran5720 macrumors regular

    imran5720

    Joined:
    Dec 21, 2013
  3. mainomega macrumors 6502

    Joined:
    Jun 5, 2007
  4. macbeta macrumors regular

    macbeta

    Joined:
    Nov 13, 2009
    #4
    After all the fuss about 3rd party developers being secure!
     
  5. Duane Martin macrumors 6502

    Duane Martin

    Joined:
    Oct 15, 2004
    Location:
    Calgary, Alberta
    #5
    Anyone have a link to an article that actually describes the vulnerability? The description here is rather vague in that it implies all HomeKit users were vulnerable but then Apple says the the problem was hard to reproduce.
     
  6. btrach144 macrumors 65816

    btrach144

    Joined:
    Aug 28, 2015
    #6
    I thought the whole point of HomeKit was it was supposed to be secure? (Nothing is ever 100% secure but it’s what Apple touted) #fail
     
  7. Wackery macrumors 6502a

    Joined:
    Feb 1, 2015
  8. jclo Editor

    jclo

    Staff Member

    Joined:
    Dec 7, 2012
    Location:
    California
    #8
    It's actually 9to5Mac that said it was difficult to reproduce, fixed the wording there so it's not implying Apple said it. No additional information on the vulnerability has been provided, aside from the fact that it was an iOS 11.2 issue and affected devices running iOS 11.2 where a user had signed into iCloud.
     
  9. Westside guy, Dec 7, 2017
    Last edited: Dec 7, 2017

    Westside guy macrumors 603

    Westside guy

    Joined:
    Oct 15, 2003
    Location:
    The soggy side of the Pacific NW
    #9
    It still does - just maybe not the same one you're referring to.
     
  10. Bacillus macrumors 68020

    Bacillus

    Joined:
    Jun 25, 2009
    #10
    Did it take them from October to now to reproduce it or to find a Homekit installation of relevance ?
     
  11. MacFather macrumors 6502a

    MacFather

    Joined:
    Mar 16, 2012
    #11
    I miss Forstall.
     
  12. questionmark32 macrumors regular

    Joined:
    Sep 23, 2013
    #12
    It's not like they're not fixing their issues.
     
  13. Bacillus, Dec 7, 2017
    Last edited: Dec 7, 2017

    Bacillus macrumors 68020

    Bacillus

    Joined:
    Jun 25, 2009
    #13
    No. December BugFest™- billions of participants.
     
  14. mariusignorello macrumors 65816

    Joined:
    Jun 9, 2013
    #14
    Any other security issues we need to know about? One after another.
     
  15. mabhatter macrumors 6502a

    Joined:
    Jan 3, 2009
    #15
    Sweet! The Gubermint really must want somebody. Presumably the minions of the secret lizard masters used this bug to break into someone’s house and then signed onto their Mac with Root privileges.

    Nifty!
     
  16. archvile macrumors 6502

    archvile

    Joined:
    Oct 27, 2007
    #16
    For some reason my Home app has a HUGE gap between the name of the Home at the top and the Favorite Scenes area, a gap of empty space big enough that it forces my favorite accessories to be cut off at the bottom of the screen... Anyone else see this?
     
  17. cdavis11 macrumors 6502

    Joined:
    Aug 31, 2009
    #17
    Good to know - I thought I was going to have to reset my home kit config this evening after my 3 schlage sense locks started reporting open/close actions again, even though I have them set to only report that status if neither my wife or I is home.

    I guess i'd better turn notifications off until next week.
     
  18. ideal.dreams macrumors 68020

    ideal.dreams

    Joined:
    Jul 19, 2010
    Location:
    OH
    #18
    Does Apple even have a quality assurance department at this point? The latest releases of iOS and macOS are downright embarrassing.

    We share remote access in our family to access all of our HomeKit smart devices and now we're all unable to control our items until sometime next week. Absolutely ridiculous.
     
  19. iamtheonlyone4ever, Dec 7, 2017
    Last edited: Dec 7, 2017

    iamtheonlyone4ever Suspended

    iamtheonlyone4ever

    Joined:
    May 27, 2016
    #19
    it seems that this 2 words go together
    apple vulnerability
    this is the never ending story, they release updates that fixes the vulnerability that creates another vulnerability that require another patch , wow I can't believe what's happening lately, totally unacceptable

    and this is not on iOS only Mac OS is having the same problem
    so far in my opinion this the worse combination ever
    iOS 11 , Mac OS high sierra
    a plague of bugs
    --- Post Merged, Dec 7, 2017 ---
    a fix that fixes the problem but creates another problem that also needs to be fix
    microsoft was good at this but it seems that apple wants to be better
    :D
    --- Post Merged, Dec 7, 2017 ---
    hosting the party
    apple
     
  20. Steve J0bs macrumors regular

    Joined:
    Jul 30, 2008
    #20
    I’ve been wondering why people added to my Home app couldn’t access the scenes and devices when on LTE. In addition to, this turns off location based automations if you have multiple people connected to home. Such as last person to leave house turning the lights off.
     
  21. cerote macrumors 6502a

    cerote

    Joined:
    Mar 2, 2009
    #21
    Slopping badly lately.

    I started telling the relatives who I manage their stuff to hold off on updates longer. I generally give them a go on my devices before I tell them to update or do the updates for them. But lately I have to go from don't update to it needs that update to fix major issue a lot lately.
     
  22. OldSchoolMacGuy macrumors 601

    OldSchoolMacGuy

    Joined:
    Jul 10, 2008
    #22
    Do you have any HomeKit products that use shared users? If not then you have nothing to worry about. As it is, this wasn't a vulnerability that was made public so the chances anyone exploited it are incredibly slim.
     
  23. iLoveDeveloping macrumors 6502

    Joined:
    Sep 24, 2009
    Location:
    Ireland
  24. mr_vinjah macrumors newbie

    Joined:
    Apr 28, 2016
    Location:
    SF, CA
    #24
    I have a Sense and didn't realize you could have notifications stopped if you were geofenced within your home. Is that an iOS feature or within the Schlage app? I didn't know this was possible and would appreciate any info on that. Thanks!
     
  25. Glideslope macrumors 603

    Glideslope

    Joined:
    Dec 7, 2007
    Location:
    A quiet place in NY.
    #25
    It still does. It’s simply switched direction. :apple:
     

Share This Page