Apple To Patch Zero-Day Vulnerability With HomeKit And iOS

Apple is once again in the security news after the emergence of a zero-day vulnerability in HomeKit, Apple’s home automation platform for controlling smart home products via either iOS apps or Siri voice commands.

It comes after a serious root bug was discovered in the latest version of MacOS, and Apple’s rushed fix for vulnerability in some cases could actually cause the flaw to return.

HomeKit Flaw

First announced in June 2014, HomeKit is widely seen as being Apple’s major drive towards the Internet of Things market, and the first products arrived in 2015.

Essentially, the platform allows customers to use their Apple device for a variety of smart home functions, including the ability to control locks, lights, cameras, doors, thermostats, plugs and switches at home, all via corresponding apps.

But now according to, the zero-day iOS Homekit vulnerability could allow remote access to smart accessories, and even locks, which could compromise the security of people’s homes. Apple has reportedly rolled out a server-side fix and an update to iOS 11.2 should arrive next week.

9to5Mac said it won’t describe the vulnerability in detail and that it “was difficult to reproduce”, but it allowed unauthorised control of HomeKit-connected accessories. It added that it was concerning that an attacker could potentially gain control of smart locks and connected garage doors.

It’s worth noting the  vulnerability is not with smart home products individually but instead with the HomeKit framework itself that connects products from various companies.

Does IoT security concern you?

  • Yes (89%)
  • No (11%)

Loading ...

Server Fix

Users apparently need to take no action to resolve the issue as the fix that is rolling out is server-side. The future update to iOS coming next week will apparently resolve any broken functionality.

The vulnerability requires at least one iPhone or iPad on iOS 11.2, the latest version of Apple’s mobile operating system, connected to the HomeKit user’s iCloud account. Earlier versions of iOS are said to be not affected.

Apple had been informed about these vulnerabilities in late October, and some but not all issues were fixed as part of iOS 11.2 and watchOS 4.2.

“The issue affecting HomeKit users running iOS 11.2 has been fixed,” Apple told 9to5Mac. “The fix temporarily disables remote access to shared users, which will be restored in a software update early next week.”

This is yet another setback to Apple’s security credentials, which have until the last several years enjoyed a solid reputation.

In October a flaw was discovered in MacOS that could have allowed anyone to gain access to encrypted hard disk volumes. That issue meant that when a user requested a password hint for certain encrypted volumes the operating system instead displayed the entire password.

Quiz: How well do you know Apple?

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Malicious Online Ad Campaign Steals User Logins

'Magnat' malicious advertising campaign uncovered by Cisco Talos has been stealing login credentials and other…

22 hours ago

Waymo, Nuro Launch Robo-Delivery Services In California

Cruise starts robo-delivery service in Mountain View as Waymo plans limited trial of grocery-delivery service…

23 hours ago

NSO Spyware ‘Used To Hack US Diplomats’

Apple alerts employees of US State Department of hacking by NSO Group's controversial Pegasus spyware…

23 hours ago

Starlink Plans Services In India As SpaceX Breaks Launch Record

Starlink to apply for commercial licence to provide satellite broadband services in India, as parent…

24 hours ago

Musk Tesla Share Sale Surpasses $10bn

Elon Musk's Tesla share sell-off surpasses $10 billion as it reaches into fourth consecutive week,…

1 day ago

Uber To Pay $9m Settlement Over Safety Reporting Failure

Uber agrees to pay $9 million to settle dispute with California regulators over its failure…

1 day ago