Apple To Patch Zero-Day Vulnerability With HomeKit And iOS

Apple is once again in the security news after the emergence of a zero-day vulnerability in HomeKit, Apple’s home automation platform for controlling smart home products via either iOS apps or Siri voice commands.

It comes after a serious root bug was discovered in the latest version of MacOS, and Apple’s rushed fix for vulnerability in some cases could actually cause the flaw to return.

HomeKit Flaw

First announced in June 2014, HomeKit is widely seen as being Apple’s major drive towards the Internet of Things market, and the first products arrived in 2015.

Essentially, the platform allows customers to use their Apple device for a variety of smart home functions, including the ability to control locks, lights, cameras, doors, thermostats, plugs and switches at home, all via corresponding apps.

But now according to 9to5mac.com, the zero-day iOS Homekit vulnerability could allow remote access to smart accessories, and even locks, which could compromise the security of people’s homes. Apple has reportedly rolled out a server-side fix and an update to iOS 11.2 should arrive next week.

9to5Mac said it won’t describe the vulnerability in detail and that it “was difficult to reproduce”, but it allowed unauthorised control of HomeKit-connected accessories. It added that it was concerning that an attacker could potentially gain control of smart locks and connected garage doors.

It’s worth noting the  vulnerability is not with smart home products individually but instead with the HomeKit framework itself that connects products from various companies.

Does IoT security concern you?

  • Yes (89%)
  • No (11%)

Loading ...

Server Fix

Users apparently need to take no action to resolve the issue as the fix that is rolling out is server-side. The future update to iOS coming next week will apparently resolve any broken functionality.

The vulnerability requires at least one iPhone or iPad on iOS 11.2, the latest version of Apple’s mobile operating system, connected to the HomeKit user’s iCloud account. Earlier versions of iOS are said to be not affected.

Apple had been informed about these vulnerabilities in late October, and some but not all issues were fixed as part of iOS 11.2 and watchOS 4.2.

“The issue affecting HomeKit users running iOS 11.2 has been fixed,” Apple told 9to5Mac. “The fix temporarily disables remote access to shared users, which will be restored in a software update early next week.”

This is yet another setback to Apple’s security credentials, which have until the last several years enjoyed a solid reputation.

In October a flaw was discovered in MacOS that could have allowed anyone to gain access to encrypted hard disk volumes. That issue meant that when a user requested a password hint for certain encrypted volumes the operating system instead displayed the entire password.

Quiz: How well do you know Apple?

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago