Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

HomeKit Puzzled by HomeKit device security

Paco II

Paco II

macrumors 68020
Original poster
Sep 13, 2009
2,288
706
When I add a device via the Home app, I know that I am taking advantage of Apple's security model. But when a device needs a firmware update, I have to use the device makers app, connect the device to an account I have to create with the device maker, and then I can finally update firmware. Doesn't this defeat some of the security aspects of using HomeKit?
 
Paco II said:
When I add a device via the Home app, I know that I am taking advantage of Apple's security model. But when a device needs a firmware update, I have to use the device makers app, connect the device to an account I have to create with the device maker, and then I can finally update firmware. Doesn't this defeat some of the security aspects of using HomeKit?
Click to expand...
The only way around this is to not do firmware updates. A smart home and tech in general is inherently not secure. No matter what’s advertised, how do you really know what of your personal information is being released out there. The only way is with completely dumb devices. Unless you’re hiding Hoffa’s body and the Feds are watching you, I wouldn’t worry about it too much. You can get a HomeKit secure router like eero or Linksys and restrict everything else to the home while you update one device. Apple is not going to push firmware updates for these other companies.
 
Well well well...

56D67824-E465-42C6-9A65-556E80ACBC49.png
 
Paco II said:
That’s great! From a security perspective that’s how it should have always been. Hopefully it makes the actual 14.3 release cut.
Click to expand...
The only thing I’m wondering is if it will truly be a security thing or if it’s only for the convenience factor of getting all updates under one roof. The third party manufacturer is still creating the firmware update and pushing it to HomeKit therefore opening up the line of internet communication. I’m not an internet network encryption engineer by any means but I’m trying to think using some logic. Even with HomeKit secure routers, you have to open up the communication with the third party for updates. Just thinking out loud.
 
Itinj24 said:
... The third party manufacturer is still creating the firmware update and pushing it to HomeKit therefore opening up the line of internet communication. ..
Click to expand...

I would be surprised if that is how it worked. I would assume it would funnel through Apple and they would validate the authenticity similar to what they do with apps.
 
  • Like
Reactions: Itinj24
Paco II said:
I would be surprised if that is how it worked. I would assume it would funnel through Apple and they would validate the authenticity similar to what they do with apps.
Click to expand...
Still a lot of questions but I guess time will tell... according to the article, it seems the third party will have to support this as well and they’re usually slow at adopting new HomeKit features. It’s definitely a start though...
 
  • Like
Reactions: Paco II
Revisiting this thread. I don't currently have a router with HomeKit support, so putting that aside, is this the 'securest' approach with a new homekit device?

  1. Install manufacturer app
  2. create an account in manufacturer's app (if required, often is)
  3. Set up device via manufacturer app
  4. Install firmware updates via manufacturer's app
  5. Remove device form manufactuer's app
  6. Log out of account in manufacturer's app
  7. Add device via Home app
And when Home app says a firmware update is available, basically repeat steps starting with step 3?
 
You are close but not all 3rd party Apps play nicely. For example if you remove a device from the manufacturer app sometimes it will be removed from Home App (HomeKit).

I made a mistake one time and removed devices from a manufacturer app and removed my home from the App then logged out and deleted the App. I opened the Home App to find out my entire Home was deleted from HomeKit :mad:

So be cautious and check the Home App along the way to make sure it's not removing the devices. Hope that makes sense?

Edit: I remembered the Manufacturers name and smart device. It was PureGear and their wall plugs. I'll admit it was several years ago so maybe they have updated things and it no longer act that way? That was a bad day re-creating my entire home.
 
Yeah, it really depends on the device. Some will even auto update firmware without an app (and unrelated to the new HomeKit ability) if it can reach their servers from your home network (ex: logi and eufy cameras).

So, keep in mind that regardless of an app, wired and WiFi devices can still communicate directly outbound if you don’t block that traffic. That’s what HomeKit Secure Router does but also a lot of routers will allow you to block by MAC address.

what I do is:
  1. Set up in homekit
  2. block outbound internet access for the device.
  3. when firmware update, unblock, apply firmware, reblock.
Even some provider-supplied routers let you do this, ex: at&t fiber lets you do this with their webui or “smart home manager“ iOS app.

What do you use for your router to the internet?
 
d.steve said:
So be cautious and check the Home App along the way to make sure it's not removing the devices. Hope that makes sense?
Click to expand...

I made this mistake with my Wemo devices. Everything was fine in the Home app, but in the Wemo app it said a couple of devices were not available, do I want to hide them. Without thinking I selected 'yes', and then when I went to the Home app, they were gone! And I was away from home with no way to add them back :(
 
Using a Google Nest Wifi (no hating 😄). I wonder if I can achieve that with the Family Pause feature. Not sure though. I'll have to give it a try.

d.steve said:
Yeah, it really depends on the device. Some will even auto update firmware without an app (and unrelated to the new HomeKit ability) if it can reach their servers from your home network (ex: logi and eufy cameras).

So, keep in mind that regardless of an app, wired and WiFi devices can still communicate directly outbound if you don’t block that traffic. That’s what HomeKit Secure Router does but also a lot of routers will allow you to block by MAC address.

what I do is:
  1. Set up in homekit
  2. block outbound internet access for the device.
  3. when firmware update, unblock, apply firmware, reblock.
Even some provider-supplied routers let you do this, ex: at&t fiber lets you do this with their webui or “smart home manager“ iOS app.

What do you use for your router to the internet?
Click to expand...
 
Paco II said:
Using a Google Nest Wifi (no hating 😄). I wonder if I can achieve that with the Family Pause feature. Not sure though. I'll have to give it a try.
Click to expand...

Does this connect to another device that connects you to the internet? If it does, you’re probably wanting to look on that other device.

I don’t know about nest WiFi features particularly, but it needs to be something that still allows connection to your home network but blocks internet-bound traffic.
 
To follow up on this, it appears to work using the Google Nest Wifi 'Family' feature. I was able to confirm by trying it with a security camera. Video continues to work via the Home app, but when I try to view via the manufacturer's app, it does not.

Now, the next question I have is about Firmware upgrades. I would obviously have to 'unpause' a Family group to install an update, but what about firmware update notifications that happen within the Home app? I assume that check is done direct, and not via the manufacturer's app? I want to confirm if I would still get those notifications from the Home app when blocking the device's ability to connect directly via the internet.


d.steve said:
Does this connect to another device that connects you to the internet? If it does, you’re probably wanting to look on that other device.

I don’t know about nest WiFi features particularly, but it needs to be something that still allows connection to your home network but blocks internet-bound traffic.
Click to expand...
 
Paco II said:
To follow up on this, it appears to work using the Google Nest Wifi 'Family' feature. I was able to confirm by trying it with a security camera. Video continues to work via the Home app, but when I try to view via the manufacturer's app, it does not.

Now, the next question I have is about Firmware upgrades. I would obviously have to 'unpause' a Family group to install an update, but what about firmware update notifications that happen within the Home app? I assume that check is done direct, and not via the manufacturer's app? I want to confirm if I would still get those notifications from the Home app when blocking the device's ability to connect directly via the internet.
Click to expand...
Great, glad it works!

I'm pretty sure I've received firmware update notifications from some devices while they were blocked, but not 100% positive. So, I'm gonna go with "IDK" (sorry).

I'm also pretty sure that it's not a required capability - while I have received them from some vendors (ex: iHome plugs, logi cameras), I have several devices across various vendors that have not popped up firmware notifications through homekit (ex: Aqara, eufy). Though, it's possible that they do and I haven't because they're always been blocked (?).

Anyone reading this thread ever get firmware updates in homekit for aqara hub/devices or eufy cameras?
 
  • Like
Reactions: Paco II
d.steve said:
Great, glad it works!

I'm pretty sure I've received firmware update notifications from some devices while they were blocked, but not 100% positive. So, I'm gonna go with "IDK" (sorry).

I'm also pretty sure that it's not a required capability - while I have received them from some vendors (ex: iHome plugs, logi cameras), I have several devices across various vendors that have not popped up firmware notifications through homekit (ex: Aqara, eufy). Though, it's possible that they do and I haven't because they're always been blocked (?).

Anyone reading this thread ever get firmware updates in homekit for aqara hub/devices or eufy cameras?
Click to expand...

I guess at worst I periodically ‘unpause’ those devices to check for updates. I’ve created multiple family groups to organize my HomeKit devices by brand to facilitate that.
 
Paco II said:
I guess at worst I periodically ‘unpause’ those devices to check for updates. I’ve created multiple family groups to organize my HomeKit devices by brand to facilitate that.
Click to expand...
The multiple groups is a good idea.

How often I check for updates varies. For newer products, I tend to check more often, as they typically need more bug fixes. Eufy camera firmwares have made a HUGE improvement to the point that I'm not following closely for updates, any more.

For older products, I rather just stopped checking. There's less likely to be an update, and really, if they're working fine, I don't really care much if there's an update or not.

Just checked - turns my aqara hub firmware is a bit behind. Looks like it was last updated in June, most recent update a few weeks ago. It's blocked and no notification about it in homekit. I unblocked it ~15 min ago, no update notification (yet?) in homekit. It's working fine, but I'll probably go ahead and update.
 
  • Like
Reactions: Paco II
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back