HomeKit Vulnerability Allows Unauthorized Remote Access to Smart Accessories, Apple Issues Temporary Fix
LIKE
TWEET
SHARE
PIN
SHARE
POST
MAIL
MORE
Posted December 7, 2017 at 11:57pm by iClarified
A zero-day Apple HomeKit vulnerability has been discovered that allows unauthorized remote access to smart accessories. The attack, demonstrated to 9to5Mac, allowed access to smart locks, garage openers, and more.
The vulnerability, which we won’t describe in detail and was difficult to reproduce, allowed unauthorized control of HomeKit-connected accessories including smart lights, thermostats, and plugs. The most serious ramification of this vulnerability prior to the fix is unauthorized remote control of smart locks and connected garage door openers, the former of which was demonstrated to 9to5Mac.
The vulnerability reportedly requires at least one iPhone or iPad running iOS 11.2 connected to the HomeKit user's iCloud account. Apple was apparently informed about this and related vulnerabilities in late October; however, not all issues were fixed by the time iOS 11.2 and watchOS 4.2 were released.
Apple says it has issued a temporary server side fix until an upcoming software update:
“The issue affecting HomeKit users running iOS 11.2 has been fixed. The fix temporarily disables remote access to shared users, which will be restored in a software update early next week.”
9to5Mac believes their learning of the vulnerability has resulted in Apple providing a fix earlier than it would have otherwise.
We believe this vulnerability being brought to our attention has resulted in the solution being readied sooner than it otherwise would have been, and our readers deserve to know that the vulnerability existed. The severity of this vulnerability also imposes a responsibility on 9to5Mac as a publication to share what we know with our audience if we’re going to continue covering HomeKit and smart home products.
This vulnerability comes after a major bug was discovered in macOS High Sierra that allowed anyone to log in as root without a password and date bug in iOS 11 that caused iPhones to crash starting December 2nd.
![Apple Seeds watchOS 10.5 Beta 2 to Developers [Download]](/images/news/93332/93332/93332-160.jpg "Apple Seeds watchOS 10.5 Beta 2 to Developers [Download]")
![Apple Releases macOS Sonoma 14.5 Beta 2 [Download]](/images/news/93337/93337/93337-160.jpg "Apple Releases macOS Sonoma 14.5 Beta 2 [Download]")
![Apple Seeds VisionOS 1.2 Beta 2 to Developers [Download]](/images/news/93334/93334/93334-160.jpg "Apple Seeds VisionOS 1.2 Beta 2 to Developers [Download]")
![Apple Seeds tvOS 17.5 Beta 2 to Developers [Download]](/images/news/93329/93329/93329-160.jpg "Apple Seeds tvOS 17.5 Beta 2 to Developers [Download]")
![New 15-inch M3 MacBook Air On Sale for $149.01 Off! [Lowest Price Ever]](/images/news/93314/93314/93314-160.jpg "New 15-inch M3 MacBook Air On Sale for $149.01 Off! [Lowest Price Ever]")
![Apple 96W USB-C Power Adapter On Sale for 49% Off [Deal]](/images/news/93302/93302/93302-160.jpg "Apple 96W USB-C Power Adapter On Sale for 49% Off [Deal]")
![AirPods Pro 2 With USB-C On Sale for $189! [Deal]](/images/news/92932/92932/92932-160.jpg "AirPods Pro 2 With USB-C On Sale for $189! [Deal]")
![iPad Mini 6 On Sale for Just $375! [Lowest Price Ever]](/images/news/93207/93207/93207-160.jpg "iPad Mini 6 On Sale for Just $375! [Lowest Price Ever]")
