A recently patched vulnerability in Apple’s HomeKit protocol for smart home devices wasn’t properly fixed for months, and a new blog post has revealed inner details about the security flaw.
Developer Khaos Tian claims to have discovered the vulnerability in October, according to his new post on Medium. He also said that although he quickly notified Apple about the vulnerability, the company said it was investigating the issue through November. But by the time iOS 11.2 was released in early December, as Tian writes, “they introduced a new message which makes the whole attack a lot easier.”
The security flaw, as it was, allowed unauthorized users to gain access to the unique identifiers of HomeKit devices. As Tian writes, “With those unique identifiers, remote attacker can ask HomeKit to do almost anything.” That included allowing unauthorized users to send commands without verification — this would allow malicious actors to access smart locks and garage door openers, among other devices.
The vulnerability wasn’t patched until Tian brought the issue to the attention of 9to5Mac a few weeks ago. Apple then issued a quick fix — by disabling the ability to send HomeKit messages to other users — and then fixed the issue for good in the recent iOS 11.2.1 update.
For those interested in learning more about the security flaws, there’s plenty more detail to be found within Tian’s Medium post.
A Strike Against HomeKit
Apple’s HomeKit is a way to control compatible devices through Apple’s operating systems, and the protocol was designed to allow numerous products to work together in unison without needing a dedicated hub. (HomeKit devices can all be controlled through Apple’s Home app.)
However, HomeKit was also designed with security in mind. Many users choose Apple — and HomeKit — products based on Apple’s reputation for security, which makes this recent incident such a letdown. Tian finishes his blog post with “Hope Apple will be more careful in the future.” We feel the same way.