Toggle sidebar Toggle sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

HomeKit Homekit privacy/security question

P

phillyman

macrumors regular
Original poster
Hi All,

One of the biggest reasons I like Apple is their approach to security. I stumbled across an old reddit thread about Chinese brands and had a more general question.

If I setup a device using just the Apple Home Code and interact with it solely through Apple Home I was under the (maybe wrong) impression that only Apple would see certain data but that most requests would be handled locally through my Apple homes. Clearly some data would be through the cloud (when away from local network). But that most if not all would be encrypted. I also assumed that those devices would not be able to report back to their corporate overlords with my data. Did I falsely assume Apple blocked all other access ?

I'm not naive there can be backdoors etc. But in general am I correct or incorrect about if solely using Apple it should be just reporting back to Apple?

Is there also a difference between Apple home and now matter devices through apple home?

Thank you for any insight,

Philly
 
phillyman said:
Did I falsely assume Apple blocked all other access ?
Click to expand...
Apple doesn't/cannot block anything. It really depends on the device and its capabilities. Some HomeKit devices are Bluetooth or Thread devices. They don't have a WiFi chip, so you can be sure they'll never connect to the internet and "phone home". These types of devices can be simple things like lights and outlets (though there are WiFi-enabled lights and outlets as well).

Then there are other HomeKit devices that operate over WiFi. They need to connect to your router, and therefore can also access the internet. I have a WiFi security camera that I'm able to add to my Apple Home and control it there, but I'm also still able to control it remotely through the manufacturer’s app/site. For these types of devices, if you don't trust them, then you need to set up some firewall rules on your network to block access to the internet after adding them to your Apple Home.
 
the thread network is an extension of your main network, just like wifi is, it's just a different form of radio, but still runs on the the IP spec that the internet does. anything connected to that can connect to the internet also. they can pull their own updates,
 
thank you both for your replies. I misunderstood and thought that apple controlled everything that was built on their homekit protocols and as gatekeeper walled off the rest. I know I could setup the devices through their respective apps but avoided that so that it wasn't associated with me. I'd hoped that if I registered and used it exclusively through apple home I had insulated myself.

Guess I'll figure out which IPs are used by which equipment and block their access and see if it breaks anything I care about.

Thank you again for clarifying.

Philly

PS: If you live in the US and are affected by the coming storm, stay safe
 
phillyman said:
thank you both for your replies. I misunderstood and thought that apple controlled everything that was built on their homekit protocols and as gatekeeper walled off the rest. I know I could setup the devices through their respective apps but avoided that so that it wasn't associated with me. I'd hoped that if I registered and used it exclusively through apple home I had insulated myself.

Guess I'll figure out which IPs are used by which equipment and block their access and see if it breaks anything I care about.

Thank you again for clarifying.

Philly

PS: If you live in the US and are affected by the coming storm, stay safe
Click to expand...

the best approach is to put all of your networkable devices on a dedicated VLAN that is restricted from outbound traffic, and only your home hub (Apple TV / Homepod) can talk to locally.

what homekit does mandate is that all native homekit devices must be controllable locally by the home hub.

so if the devices cant connect to the internet, the home hub can still control them. so as long as the home hub can access the outside (to get to icloud), then you can still fully remotely access everything through the home app (including cameras) even if the devices themselves are blocked from internet access. this also means if your internet goes down and you are home, everything still works locally.

if your device has the homekit qr code, use it and dont bother with the manufacturers app. just be careful as some devices claim homekit support, but -only- through a third party hub (like some ikea/aqara sensors, some eufy cameras etc), you dont want that. avoid 3rd party apps.


even better approach: dont use IP networkable devices at all.

setup homebridge, hubitat or homeassistant and buy zigee and zwave devices. these types of devices cannot talk to internet and do not rely on network connectivity to function. once paired with homebridge/hubitat/homeassistant they are 'bridged' into Apple Home, and you can see and control everything natively in Home app, locally or remotely.
 
Last edited:
BigBlur said:
Apple doesn't/cannot block anything.
Click to expand...

not entirely true. there are (were?) some routers that support Homekit. and they do block accessories outbound traffic.

my understanding is they do the same thing, isolate the client devices from external connectivity.

Use routers secured with HomeKit - Apple Support

Add more protection to your HomeKit accessories by controlling which services and devices they communicate with on your home Wi-Fi network and over the internet.
support.apple.com support.apple.com
 
Last edited:
  • Like
Reactions: kitKAC
erihp said:
not entirely true. there are (were?) some routers that support Homekit. and they do block accessories outbound traffic.

my understanding is they do the same thing, isolate the client devices from external connectivity.

Use routers secured with HomeKit - Apple Support

Add more protection to your HomeKit accessories by controlling which services and devices they communicate with on your home Wi-Fi network and over the internet.
support.apple.com support.apple.com
Click to expand...
I actually did get a mesh homekit compatible router but it was a piece of crap... My unlikely pipe dream is that they again start making airport netowrkign. I read last year a rumor that the new homepods could be part of a mesh network (my dream).

Philly
 
erihp said:
the best approach is to put all of your networkable devices on a dedicated VLAN that is restricted from outbound traffic, and only your home hub (Apple TV / Homepod) can talk to locally.

what homekit does mandate is that all native homekit devices must be controllable locally by the home hub.

so if the devices cant connect to the internet, the home hub can still control them. so as long as the home hub can access the outside (to get to icloud), then you can still fully remotely access everything through the home app (including cameras) even if the devices themselves are blocked from internet access. this also means if your internet goes down and you are home, everything still works locally.

if your device has the homekit qr code, use it and dont bother with the manufacturers app. just be careful as some devices claim homekit support, but -only- through a third party hub (like some ikea/aqara sensors, some eufy cameras etc), you dont want that. avoid 3rd party apps.


even better approach: dont use IP networkable devices at all.

setup homebridge, hubitat or homeassistant and buy zigee and zwave devices. these types of devices cannot talk to internet and do not rely on network connectivity to function. once paired with homebridge/hubitat/homeassistant they are 'bridged' into Apple Home, and you can see and control everything natively in Home app, locally or remotely.
Click to expand...
This is a bit over my head. So With a Vlan if I put them on their own dedicated wifi network and block that network for outbound traffic? Wouldnt I then have to put my homepods also on that network and then switch back and forth between my primary LAN and and the IOT wifi?

I use a synology router so I know I have all kinds of network options.

Thank you for pointing me in the right direction.

Philly
 
phillyman said:
This is a bit over my head. So With a Vlan if I put them on their own dedicated wifi network and block that network for outbound traffic? Wouldnt I then have to put my homepods also on that network and then switch back and forth between my primary LAN and and the IOT wifi?

I use a synology router so I know I have all kinds of network options.

Thank you for pointing me in the right direction.

Philly
Click to expand...

the home hub doesn't necessarily have to be on that VLAN but they need to be able to access that VLAN. or they -could- be on the VLAN but be the only device allowed to route out beyond the LAN.

this might be a good place to start that is geared toward a synology.

kb.synology.com

Synology VLAN Deployment Quick Start Guide - Synology Knowledge Center

Synology Knowledge Center offers comprehensive support, providing answers to frequently asked questions, troubleshooting steps, software tutorials, and all the technical documentation you may need.
kb.synology.com kb.synology.com

kb.synology.com

How do I create firewall rules to allow or deny IP addresses to access SRM or the local network? - Synology Knowledge Center

Synology Knowledge Center offers comprehensive support, providing answers to frequently asked questions, troubleshooting steps, software tutorials, and all the technical documentation you may need.
kb.synology.com kb.synology.com

you can do this!
 
Last edited:
  • Love
Reactions: phillyman
erihp said:
the home hub doesn't necessarily have to be on that VLAN but they need to be able to access that VLAN. or they -could- be on the VLAN but be the only device allowed to route out beyond the LAN.

this might be a good place to start that is geared toward a synology.

kb.synology.com

Synology VLAN Deployment Quick Start Guide - Synology Knowledge Center

Synology Knowledge Center offers comprehensive support, providing answers to frequently asked questions, troubleshooting steps, software tutorials, and all the technical documentation you may need.
kb.synology.com kb.synology.com

kb.synology.com

How do I create firewall rules to allow or deny IP addresses to access SRM or the local network? - Synology Knowledge Center

Synology Knowledge Center offers comprehensive support, providing answers to frequently asked questions, troubleshooting steps, software tutorials, and all the technical documentation you may need.
kb.synology.com kb.synology.com

you can do this!
Click to expand...
thank you.. good project in the snow
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back