Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Fixed iOS 11.2 Vulnerability That Allowed Unauthorized Access to HomeKit Devices
- Thread starter MacRumors
- Start date
- Sort by reaction score
If the vulnerability is server side, I'm not sure it really qualifies as an iOS issue. Otherwise, security vulnerabilities aren't exactly part of the QA process.
[doublepost=1512740350][/doublepost]
A security vulnerability is bound to happen here or there, the only thing I'd defend is people overreacting.
[doublepost=1512740975][/doublepost]
Until I put bars on the windows, most of my home's security is really just in the hands of an easily broken pane of glass.
And what happens after he does so? Thousands of people get notifications that their door was unlocked? Unless there are also thousands of people standing by, ready to break into all those homes, then it sounds rather uneventful.
You don't need to be anything close to a well-skilled hacker to break into a home. Someone with a drill or simply a strong able-bodied person would be able to do so with relative ease. I assume your home has no windows and solid steel doors with more than a simple deadbolt? If not it, it seems like you've got quite the false sense of security.
![]()
A HomeKit vulnerability in iOS 11.2 that allowed unauthorized access to HomeKit accessories that included smart locks has been fixed by Apple, the company told 9to5Mac in a statement today.
To patch the vulnerability, which was reportedly difficult to reproduce, Apple disabled remote access for shared users, something the company says will be reintroduced in a software update that's set to be released early next week.![homekit-800x485.jpg]()
Apple was able to address the vulnerability server side as it affected the HomeKit framework rather than individual HomeKit products. Though the vulnerability impacted all HomeKit devices, it is of particular interest to HomeKit users with smart locks and other HomeKit-enabled devices that allow access to the home, as someone able to exploit this kind of problem could gain entry to a dwelling without a physical key.
9to5Mac says that Apple was first informed about the security issue and other related HomeKit vulnerabilities in October. Some of the problems were addressed in iOS 11.2 and watchOS 4.2, while the rest were fixed server side. HomeKit setups with at least one connected iPhone or iPad running iOS 11.2 and signed into a HomeKit user's iCloud account were impacted.
Since its launch in 2014, HomeKit has seen many major improvements and its adoption has grown steadily. A wide range of manufacturers have embraced HomeKit, and there are HomeKit lights, outlets, switches, thermostats, window coverings, fans, sensors, cameras, locks, and garage door openers.
August, Friday, Koogeek, Kwikset, Schlage, and Yale all make HomeKit-enabled smart locks that can be controlled via Siri voice commands and HomeKit apps.
Article Link: Apple Fixed iOS 11.2 Vulnerability That Allowed Unauthorized Access to HomeKit Devices
Apple: on a roll
You can be flippant about it -- but the constant downloads is a problem if you dont have high speed internet.
Once again we see the end result of Cook the Coward's policies in the form of terrible software. Forestall should be counting his blessings that he no longer need report to such a despicable and detestable CEO.
I don't see why they couldn't play in this game?
Their #1 selling product (iPhone) has less than 20% of the global smartphone marketshare... Less than 20%...
Even with Google Home's Black Friday sale (and Amazon Alexa moving into businesses), I'd guess that there's still some marketshare left for Apple.
May I ask what Lighting system you were using? I am using the dot with it and it did not break. Still functions like day one. Hence my question on which system you are using.
I'm too old-school for all this.
Nobody will EVER hack into my house, because I will never have home automation.
They'll have to be there, with a lock pick.
And then either the alarm or the camera (only have them outside) catches them, or my Benelli M4 will.
Nobody will EVER hack into my house, because I will never have home automation.
They'll have to be there, with a lock pick.
And then either the alarm or the camera (only have them outside) catches them, or my Benelli M4 will.
Echo dot -> Alexa Skill --> Koogeek app --> Koogeek smartplug --> ikea lightstand
Alexa Skill works by letting koogeek app (natively an HomeKit app) to receive third party instructions (from Alexa skill)
Why? Would making HomeKit keys look like skeuomorphickly real keys have improved physical security?
HomeKit launched like a year and a half after Forstall's departure, do you know the architectural flaw wasn't introduced under his watch?
Every version of iOS he was responsible for was jailbroken. It's not like Forstall had a history of air tight security.
People here have a tendency to reduce complex issues to ones of individual personalities. That almost works for Jobs because the man was a titan, but even there it's a vast oversimplification predicated on selective memory.
The root user vulnerability was inexcusable. I don't know the nature of this HomeKit vuln, but the consequences are enormous, regardless of how sophisticated the attack needed to be.
However, to say it's all because one man, who nobody seemed eager to defend at the time, was fired 5 years ago is a good narrative but generally baseless. We don't know why he left, though everyone replying seems to have read the same Wikipedia article, and we don't have much evidence that he was effective while he was there.
![]()
"The issue affecting HomeKit users running iOS 11.2 has been fixed. The fix temporarily disables remote access to shared users, which will be restored in a software update early next week."
The cure is worse than the disease! Seriously though, if you "fix" a problem by smashing it with a hammer it's not really "fixed" in my opinion.
I thought I mentioned I was using Lutron Caseta which it looks like I didn't. Here is hoping a quick fix either comes from Apple or Ikea.
So far I have not noticed it breaking my calendar, list, thermostat, or lights. Fingers crossed it stays that way. I am not using Homekit though, just the native App. I did however notice the Alexa App takes a little longer to boot up after this last update though.
Amazon does exactly that, but they call it a feature. Amazon Key
Let's see, so there was a flaw in HomeKit and Apple fixed it, for everyone via a sever patch, before there were any known exploits in the wild. On the other hand, millions of cheap IP cameras and other IoT devices were hacked and the Chinese companies behind them didn't even release firmware updates. Oh, you bet I'll keep this incident in mind.
Do you seriously think airline software doesn't have bugs? Just look at the giant fiasco last couple of weeks involving American Airlines. They had to scramble to avoid cancelling tens of thousands of flights during the holidays due to issues with the software used to schedule vacation time for pilots. And there have been numerous occasions just this year where entire airlines were shutdown due to severs crashing.
Do you know the flaw “was” introduced under his watch?
Jailbreaking was popular back then because of the extra features you could have, however, as they started to be introduced to iOS, jailbreaking started to lose its appeal.
It doesn’t take much to see the flaws under Cook’s stewardship, he obviously doesn’t have the know how to direct a company like Apple. Maybe he was good at supply chain management, but vision and attention to detail are, painfully obvious, not a strength of his.
It was also obvious that Jobs saw something in Forstall and if I had to guess I would say that he might have been considered green for the CEO position when Jobs passed. The fact that Cook ousted him in a hurry says a lot, he was obviously threatened by Forstall.
I wasn’t a fan of him (Forstall), however I believe he had a better understanding of where Apple should be than Cook will ever have.
Cook would be better suited to running a fashion company that is heavily involved in some kind of charity. This way he would only have to concentrate on how things look and he would have plenty of time to bore people to death on how he is helping humanity.
Your points might have some validity however you shouldn’t make assumptions on how people reached their respective points of view.
Maybe you believe Cook is doing a decent job.... or maybe you think he isn’t.... that is your opinion as mine is mine and others are others.
Quite simple really.
What assumptions did I make about how you reached your point of view? My whole comment started with the question "why?". Why does anyone think Apple software would be better with Forstall in place? How had he demonstrated competence in systems with this level of complexity? What vision did he show?
I'm not assuming how you reached your point of view, I'm asking how you reached it. If it just boils down to "I don't like Cook, Cook fired Forstall, ergo Forstall must be awesome" then I don't find it very compelling. Forstall had a long tenure at Apple-- what tangible evidence is there for your point of view?
Jobs may have seen something in him, but was it anything more than his being a loyal lieutenant? Jobs kept him around, but Jobs also kept Cook and Ive around. Jobs selected Cook for the CEO slot. So if your opinion is predicated on Jobs' opinion, then Jobs thought Cook was the better successor.
To quickly address your other points: I don't need to know that the flaw happened while he was there because I'm not arguing it wouldn't have if he were. The fact that every iOS version under Forstall was jailbroken demonstrates that every version had serious security flaws. Cook didn't "oust" Forstall, he was Forstall's boss and fired him. He didn't do it in a hurry, he did it after a year and after several high profile failures. I wasn't there, so only know what I read, but most of the evidence suggests that none of the top management would work with Forstall-- which doesn't make him a likely coup leader. So, it's unlikely that Cook was threatened by him-- it's more likely that he saw no reason to retain someone that divisive and who refused to take responsibility for their own work.