Apple Fixes HomeKit Flaw That Allowed Unauthorized Smart Lock Access

Smart Lock Credit: August
Text Size
- +

Toggle Dark Mode

Apple is reportedly rolling out a server-side fix for a critical, zero-day HomeKit vulnerability in iOS 11.2 that allowed unauthorized access to smart devices and accessories.

The vulnerability was first demonstrated to Apple news site 9to5Mac, and the flaw could have potentially allowed attackers to gain remote, unauthorized control of a slew of HomeKit-enabled smart devices — including smart locks and smart garage door openers.

Currently, no information on the vulnerability itself has been given, but the news outlet reported that it was difficult to reproduce. It reportedly required at least one iOS device running iOS 11.2 connected to a user’s iCloud account.

The implications of the vulnerability are extremely worrying, with the obvious concern being the ability for attackers to remotely open a smart lock or garage door and gain access to someone’s house without a physical key. This portion of the vulnerability was specifically demonstrated first-hand to 9to5Mac, the publication wrote.

As of Thursday, Apple has told the outlet that it is rolling out a server-side fix for the issue. As such, users will need to take no immediate action to patch the vulnerability and protect their security.

On the other hand, Apple’s server-side fix will apparently limit certain HomeKit functionality — namely disabling remote access for shared users. Full functionality will be restored in an upcoming update to iOS 11.2 next week, Apple said.

“The issue affecting HomeKit users running iOS 11.2 has been fixed,” Apple said in a statement. “The fix temporarily disables remote access to shared users, which will be restored in a software update early next week.”

Reports seem to indicate that Apple has been aware of this and similar HomeKit vulnerabilities since late October, but certain issues were not addressed as of iOS 11.2 and watchOS 4.2. That means, presumably, that the flaw was live for several weeks in current versions of iOS and watchOS before being addressed.

Apple was apparently able to fix the issue on its servers because it affected the HomeKit framework, rather than individual HomeKit systems or supported smart products.

Social Sharing