Published: Fri, December 08, 2017
Hi-Tech | By Ellis Neal

Zero-day security flaw hits Apple HomeKit products

Zero-day security flaw hits Apple HomeKit products

First announced in June 2014, HomeKit is widely seen as being Apple's major drive towards the Internet of Things market, and the first products arrived in 2015.

While all type of HomeKit products were affected, it should definitely be concerning to anyone with a smart lock or smart garage door opener.

Essentially, the platform allows customers to use their Apple device for a variety of smart home functions, including the ability to control locks, lights, cameras, doors, thermostats, plugs and switches at home, all via corresponding apps.

It's worth noting the vulnerability is not with smart home products individually but instead with the HomeKit framework itself that connects products from various companies.

Often times the issue stems from smart devices not being secured properly and security experts continue to highlight the potential security threat that these devices could pose to their owners.

Despite being considerably hard to reproduce, the vulnerability did allow some users to bypass security checks and take control of a wide range of HomeKit connected accessories such as wall plugs, smart lights and thermostats. Other issues in this category were fixed server-side from Apple so end users needed to take no action. Another update to iOS next week should eliminate the vulnerability and restore full functionality. Earlier iOS versions are free of the bug.

Apple released their iOS 11.2 software update last weekend, the update was rolled out quickly to fix a date bug in iOS.

9to5Mac didn't go into details, but said an iPhone or iPad running iOS 11.2 could exploit the flaw when connected to a HomeKit user's iCloud account. Unfortunately, Apple's server-side fix also prevents you from giving remote access to shared users.

Like this: