The vulnerability, which we won’t describe in detail and was difficult to reproduce, allowed unauthorized control of HomeKit-connected accessories including smart lights, thermostats, and plugs. The most serious ramification of this vulnerability prior to the fix is unauthorized remote control of smart locks and connected garage door openers, the former of which was demonstrated to 9to5Mac.
The vulnerability reportedly requires at least one iPhone or iPad running iOS 11.2 connected to the HomeKit user's iCloud account. Apple was apparently informed about this and related vulnerabilities in late October; however, not all issues were fixed by the time iOS 11.2 and watchOS 4.2 were released.
Apple says it has issued a temporary server side fix until an upcoming software update:
“The issue affecting HomeKit users running iOS 11.2 has been fixed. The fix temporarily disables remote access to shared users, which will be restored in a software update early next week.”
9to5Mac believes their learning of the vulnerability has resulted in Apple providing a fix earlier than it would have otherwise.
We believe this vulnerability being brought to our attention has resulted in the solution being readied sooner than it otherwise would have been, and our readers deserve to know that the vulnerability existed. The severity of this vulnerability also imposes a responsibility on 9to5Mac as a publication to share what we know with our audience if we’re going to continue covering HomeKit and smart home products.
This vulnerability comes after a major bug was discovered in macOS High Sierra that allowed anyone to log in as root without a password and date bug in iOS 11 that caused iPhones to crash starting December 2nd.
Please follow iClarified on Twitter, Facebook, Google+, or RSS for updates.