Apple's Strict Bluetooth LE Security Requirements Slowing Rollout of HomeKit Accessories

[MacRumors]

While it has been more than a year since Apple launched HomeKit, a software framework for communicating with and controlling light bulbs, thermostats, door locks and other connected accessories in the home, only five HomeKit-approved products have been released to date: the Ecobee3, Elgato Eve, iHome iSP5 SmartPlug, Insteon Hub and Lutron Caseta Wireless Lighting Starter Kit.

The slow rollout of HomeKit-enabled hardware accessories is not because of a lack of interest in the platform, but rather Apple's strict security requirements for Bluetooth LE (low energy) devices, according to Forbes. In particular, the strong level of encryption required to use the HomeKit protocol through Bluetooth LE has resulted in lag times that essentially render some accessories useless.

For example, a smartlock that makes its user wait 40 seconds before it opens is clearly inferior to a traditional lock. One of HomeKit's selling point is that it provides a more reliable user experience, so these kinds of lag times will need to be sorted out before Apple can become a major platform for the smart home.

Elgato Eve smart home sensors for doors, windows and energy consumption​

Chipmakers such as Broadcom and Marvell have reportedly been working to improve their Bluetooth LE chips to more effectively handle Apple's level of encryption, an important step if the company wants to become a major player in the smart home. In the meantime, developers have either been focusing on Wi-Fi-based HomeKit hardware or working on temporary solutions to the problem.

For the time being, Elgato has found a workaround for these problems with Bluetooth LE. It's tweaked the firmware and added additional on-chip memory to handle the heavy-duty encryption. Elgato was not anticipating having to go make these modifications initially, and now the company hopes to make a side business selling its tweaks to other device makers wanting to build HomeKit devices with Bluetooth LE.

HomeKit delays have also been attributed to "sparse and shifting" documentation and Apple's tedious certification process for its "Made for iPhone/iPad/iPod" (MFi) program. HomeKit accessory makers are required to send multiple prototypes of their products to Apple for testing, and the process can be lengthy until Apple is satisfied.

Apple's attention to detail and focus on security should prove worthwhile for customers, however, and the company has the size and reputation to enforce manufacturers to adopt those high standards. "This is one of those things that Apple does," a source working on a HomeKit device told Forbes. "They force an issue. It's like that here. Regular Bluetooth has an issue -- it's not secure."

Article Link: Apple's Strict Bluetooth LE Security Requirements Slowing Rollout of HomeKit Accessories

 

[myemailisjustin]

rather wait 40 seconds than have it hacked over the internet...hello chrysler

 

[zorinlynx]

This is one of those forward thinking things that will inconvenience us now but be worthwhile later.

 

[BMcCoy]

Security first... efficiency later.

I'm okay with that.....

 

[unplugme71]

I agree, with all the things being connected these days, its nice to have someone leading the industry with security in place. Unlike some car manufacturers out there!

 

[OldSchoolMacGuy]

Security first. That's just fine.

Would rather have it slow rollout than people able to easily break into my place remotely.

 

[rdlink]

Agree with the other posts, and Apple's position. If the lock to my front door is going to be internet connected it damn well needs to be secure.

 

[doelcm82]

rather wait 40 seconds than have it hacked over the internet...hello chrysler

I'd rather stick to a traditional key than wait 40 seconds. But I'm confident that they'll make the necessary changes, so a 40-second wait is not necessary even with the extra security.

 

[avanpelt]

Translation of the article: It will be 2 to 3 years minimum before HomeKit becomes a viable technology for the vast majority of Apple's customer base. Forty seconds to unlock a door? The average person is going to say "screw that" and just continue to use a key. If my brand new Mac took 40 seconds to boot, that would be considered a problem.

Truth be told, Apple should've been talking to chip makers and app developers behind the scenes for at least another year or two before they announced HomeKit to the public. This "just get something shipped and we'll fix it later but we're going to present this new thing at the keynote as if it's ready for prime time and it's groundbreaking" approach that Apple seems to be taking more and more these days is getting old.

 

[reallynotnick]

I'd rather stick to a traditional key than wait 40 seconds. But I'm confident that they'll make the necessary changes, so a 40-second wait is not necessary even with the extra security.

Downside to a traditional key is it will take someone less than 5 seconds to bump the lock open. (Of course there are more complex locks out there, just they are rarely used)

But yes they will for sure have to sped up the process, but I'm glad they are paying attention to the details and making it secure from the start.

 

[Mike MA]

 

[avanpelt]

Downside to a traditional key is it will take someone less than 5 seconds to bump the lock open.

If someone wants to break into your house, a door lock that is controlled using enhanced bluetooth encryption is not going to stop them.

All these HomeKit-enabled locks do is allow you to do is control the lock with your phone or tablet. I haven't seen any bluetooth-enabled lock on the market that purports to be more effective than a traditional keyed lock at preventing a break-in. If someone wants to destroy a lock to get into your house, they'll do it whether you have a $20 traditional keyed lock or a $200 HomeKit-enabled lock.

These "internet of things" devices as we know them today are primarily about convenience, not primarily about having additional physical security above and beyond what traditional, non-connected products offer. Don't get me wrong, I have a house full of Insteon products and I am a big believer in "connected" stuff in the home. That said, I recognize that my use of Insteon products is primarily due to their convenience. I like to think that my use of said products makes my home more secure, as well; but in reality, I know that I just have a fascination with technology and being able to control things in my home from across town or from thousands of miles away is pretty cool.

 

[WordsmithMR]

Security first. That's just fine.

Would rather have it slow rollout than people able to easily break into my place remotely.

This allows for an attacker to catch up to you... May not seem like something that could happen in a neighborhood with a house using tech like this... But those are the neighborhoods that this happens.

 

[2457282]

I have been impatiently waiting for Hue to get it together and gent on the Homekit bandwagon. If the delay is due to security as stated here then I guess I will be a bit more patient. I would hate for someone to hack in and turn off the lights when I am in the shower or something.

Seriously though, I totally support security. This is important.

 

[bookwormsy]

Agreed. I see nothing wrong with emphasizing security when it comes to my house. When you look at all of the IP cameras that are totally exposed and have been for years, it's scary to imagine that your lock could be as exposed.

Plus since it's Apple, people are going to be thoroughly vetting their security, independently. .

 

[currocj]

A thermostat delaying 40 seconds, on the other hand, is no problem at all

 

[xraydoc]

I have a house full of connected equipment - z-wave enabled deadbolts, Hue/GE/Cree light bulbs, Lutron Caseta dimmer switches, Nest thermostat, cameras and smoke detectors, etc.

A determined thief is not going to be stopped by any of it (though his picture will most certainly be captured by one at least one of the several cameras). Who needs to electronically hack a deadbolt when there's a bunch of windows that are much easier to physically get through...?

A professionally-monitored ADT alarm system, independent from the rest of the connected-home equipment, is the main deterrent. Loud klaxons drawing lots of attention - plus a call to the near-by police station - should be a potential burglar's main concern.

 

[longofest]

Security first absolutely, but did you read the insane requirements?

Elliptic Curve and 3072 bit keys... What are we guarding against, quantum computers? What's wrong with good old AES 256?

 

[jdillings]

Security is overrated just ask Microsoft and Adobe

 

[tillsbury]

The question is: does Ashley Madison's server know you've gone out?

 

[iMacDragon]

Downside to a traditional key is it will take someone less than 5 seconds to bump the lock open. (Of course there are more complex locks out there, just they are rarely used)

This is something I really don't understand, that most door locks are so crappy, when there's far better options available.

Basically every door lock in finland for example is unbumpable, and very hard to pick.

 

[avanpelt]

Security first absolutely, but did you read the insane requirements?

Elliptic Curve and 3072 bit keys... What are we guarding against, quantum computers? What's wrong with good old AES 256?

I don't know if the encryption requirements are the culprit, but I do know that one of the few HomeKit-enabled devices I've been following that's available now -- the Insteon Hub Pro -- is being absolutely trashed by the majority of reviewers as being unreliable when it comes to using HomeKit's features to control Insteon devices -- which is the only real selling point of the "Hub Pro".

It seems to me that HomeKit now is half-baked much like Apple Maps was when it launched. I'm sure there's a lot of blame to go around -- from Apple to app developers, to hardware makers. In the end, though, HomeKit is Apple's baby. They're the ones who decided to tell the world about it over a year ago and make it appear as though HomeKit was going to revolutionize our homes in relatively short order. Like Apple Maps a few years ago, I think Apple pulled the trigger and unveiled HomeKit to the world way before they should have.

 

[mw360]

Security first absolutely, but did you read the insane requirements?

Elliptic Curve and 3072 bit keys... What are we guarding against, quantum computers? What's wrong with good old AES 256?

But this gear isn't like buying an iPhone that I'm going to toss in two years. If I install locking and lighting and heating systems deeply embedded into my house, I'm going to want at least some of that stuff to last thirty years. Folks are installing solar panels, LED lighting, boilers etc. which don't pay for themselves for at least 10, 15, 20 years. Whatever protocols they design now, really have to last for a very very long time. Home automation isn't going to work if Apple pull their usual stunt of forcing us to upgrade all our hardware on their schedule. Futureproofing their security is a promising suggestion that they won't.

 

[Zxxv]

A professionally-monitored ADT alarm system, independent from the rest of the connected-home equipment, is the main deterrent. Loud klaxons drawing lots of attention - plus a call to the near-by police station - should be a potential burglar's main concern.

All that does is annoy neighbours and anyone walking past, neither of which comes running to help or see what the commotion is.

 

[rdlink]

[QUOTE="xraydoc, post: 21623524, member: 59619"...A professionally-monitored ADT alarm system, independent from the rest of the connected-home equipment, is the main deterrent. Loud klaxons drawing lots of attention - plus a call to the near-by police station - should be a potential burglar's main concern.[/QUOTE]

Actually, this is just as much of a deterrent, and much, much cheaper...

http://www.amazon.com/Home-Security...qid=1437601250&sr=8-3&keywords=alarm+stickers