Developer Reveals Details Of Recent Apple HomeKit Vulnerability

A recently patched vulnerability in Apple’s HomeKit protocol for smart home devices wasn’t properly fixed for months, and a new blog post has revealed inner details about the security flaw.

Yeamake /

Developer Khaos Tian claims to have discovered the vulnerability in October, according to his new post on Medium. He also said that although he quickly notified Apple about the vulnerability, the company said it was investigating the issue through November. But by the time iOS 11.2 was released in early December, as Tian writes, “they introduced a new message which makes the whole attack a lot easier.”

Major Flaw

The security flaw, as it was, allowed unauthorized users to gain access to the unique identifiers of HomeKit devices. As Tian writes, “With those unique identifiers, remote attacker can ask HomeKit to do almost anything.” That included allowing unauthorized users to send commands without verification — this would allow malicious actors to access smart locks and garage door openers, among other devices.

The vulnerability wasn’t patched until Tian brought the issue to the attention of 9to5Mac a few weeks ago. Apple then issued a quick fix — by disabling the ability to send HomeKit messages to other users — and then fixed the issue for good in the recent iOS 11.2.1 update.

For those interested in learning more about the security flaws, there’s plenty more detail to be found within Tian’s Medium post.

A Strike Against HomeKit

Apple’s HomeKit is a way to control compatible devices through Apple’s operating systems, and the protocol was designed to allow numerous products to work together in unison without needing a dedicated hub. (HomeKit devices can all be controlled through Apple’s Home app.)

However, HomeKit was also designed with security in mind. Many users choose Apple — and HomeKit — products based on Apple’s reputation for security, which makes this recent incident such a letdown. Tian finishes his blog post with “Hope Apple will be more careful in the future.” We feel the same way.

[H/T 9to5Mac]

Phil Dzikiy

Phil Dzikiy

Phil Dzikiy is the former editor in chief of Security Baron. Before, he has worked as a freelance writer and editor at websites like and along with publications like the Lockport Union Sun & Journal and the Greater Niagara Newspapers. With digital and print experience under his belt, Phil has a passion for all things technology including home security, cyber security, and the smart home. His bachelor's degree in Journalism from the University of Maryland College Park initially landed Phil his first job at the Beaver County Times, which has lead to over 15 years of experience as a journalist.

Trending News

Follow Us