Apple To Patch Zero-Day Vulnerability With HomeKit And iOS

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

Apple security credentials once again in spotlight after zero-day iOS HomeKit vulnerability is revealed

Apple is once again in the security news after the emergence of a zero-day vulnerability in HomeKit, Apple’s home automation platform for controlling smart home products via either iOS apps or Siri voice commands.

It comes after a serious root bug was discovered in the latest version of MacOS, and Apple’s rushed fix for vulnerability in some cases could actually cause the flaw to return.

homekit launch

 

HomeKit Flaw

First announced in June 2014, HomeKit is widely seen as being Apple’s major drive towards the Internet of Things market, and the first products arrived in 2015.

Essentially, the platform allows customers to use their Apple device for a variety of smart home functions, including the ability to control locks, lights, cameras, doors, thermostats, plugs and switches at home, all via corresponding apps.

But now according to 9to5mac.com, the zero-day iOS Homekit vulnerability could allow remote access to smart accessories, and even locks, which could compromise the security of people’s homes. Apple has reportedly rolled out a server-side fix and an update to iOS 11.2 should arrive next week.

9to5Mac said it won’t describe the vulnerability in detail and that it “was difficult to reproduce”, but it allowed unauthorised control of HomeKit-connected accessories. It added that it was concerning that an attacker could potentially gain control of smart locks and connected garage doors.

It’s worth noting the  vulnerability is not with smart home products individually but instead with the HomeKit framework itself that connects products from various companies.

Does IoT security concern you?

  • Yes (89%)
  • No (11%)

Loading ... Loading ...

Server Fix

Users apparently need to take no action to resolve the issue as the fix that is rolling out is server-side. The future update to iOS coming next week will apparently resolve any broken functionality.

The vulnerability requires at least one iPhone or iPad on iOS 11.2, the latest version of Apple’s mobile operating system, connected to the HomeKit user’s iCloud account. Earlier versions of iOS are said to be not affected.

Apple had been informed about these vulnerabilities in late October, and some but not all issues were fixed as part of iOS 11.2 and watchOS 4.2.

“The issue affecting HomeKit users running iOS 11.2 has been fixed,” Apple told 9to5Mac. “The fix temporarily disables remote access to shared users, which will be restored in a software update early next week.”

This is yet another setback to Apple’s security credentials, which have until the last several years enjoyed a solid reputation.

In October a flaw was discovered in MacOS that could have allowed anyone to gain access to encrypted hard disk volumes. That issue meant that when a user requested a password hint for certain encrypted volumes the operating system instead displayed the entire password.

Quiz: How well do you know Apple?