Apple announced that it has fixed a flaw in its HomeKit framework. The vulnerability could have enabled unauthorized remote control of smart-home appliances including smart locks and connected garage door openers.
9to5Mac first reported the vulnerability December 7. The publication indicated that the flaw to be exploited requires an iPhone or iPad that run the latest iOS 11.2 and are linked to the HomeKit consumer’s iCloud account.
Apple’s HomeHit is a software framework which allows iPhone and iPads users to control and communicate with smart-home appliances compatible with HomeKit.
Apple announced on the flaw:
The issue affecting HomeKit users running iOS 11.2 has been fixed. The fix temporarily disables remote access to shared users, which will be restored in a software update early next week.
The statement included information about the temporary patch that incapacitates the server-side remote access detail of HomeKit framework that used to share access to other consumers.
We also understand that Apple was informed about this and related vulnerabilities in late October, and some but not all issues were fixed as part of iOS 11.2 and watchOS 4.2 which were released this week.
This flaw is not the first for Apple with its iOS 11. The latest iOS 11 was only released in September. Hoverer, Apple already had several subsequent updates that addressed an autocorrect vulnerability and the KRACK flaw. In addition, the iOS 11.2 update was released in order to fix memory corruption problems and a restart flaw which led some Apple devices to restart, according to Apple.
However, none of these mentioned vulnerabilities are as severe as the security bug in macOS High Sierra operating system which enabled admin access to personal computers by putting “root” as a username.
The most recent patch for Apple HomeKit put more pressure on IoT device manufacturers and providers to focus on smart-home appliances security and reliability. It is not a first time that smart-home devices faced similar issues with keyless door systems.
The Security researcher at 9To5Mac Zac Hall noted that the flaw can cause security risks to HomeKit users.
“Personally, once this vulnerability has been patched, I believe I’ll be comfortable with trusting HomeKit security solutions to remain protected, but you can always use an old-fashioned lock and key or install security cameras as a double measure,” – Zac Hall wrote.
According to 9to5Mac, the vulnerability is not related to any particular HomeKit device or manufacturer, but the whole framework.