When Apple announced HomeKit in 2014 it stressed that "HomeKit was designed with privacy and security from the very beginning" so that "only your iPhone can open your garage door or unlock your door." Turns out that last bit wasn't entirely true due to a nasty vulnerability that was recently revealed by a developer in collaboration with 9to5Mac. And now that Apple has patched the bugs, the developer, who goes by the name Khaos Tian, has taken to Medium to provide all the juicy details of their frustrating endeavor.
Basically, two bugs in both watchOS and iOS allowed unauthorized users to discover the unique identifiers required by HomeKit to interact with objects in the home. "HomeKit didn’t check the sender of remote message before processing the request, which ended up allowing potentially anyone to remotely control HomeKit accessories in the home," writes Tian. In practice, that meant anyone could open a garage door or front door secured with a HomeKit lock from a remote location.
Apple addressed the issue by making the attack a lot easier to execute
Tian says he notified Apple's product security team of the issue in late October, the day after he discovered it. In the weeks that followed, Apple did address some of the issues raised by Tian, but also introduced a new vulnerability that made the attack "a lot easier" to execute.
Exasperated by Apple's ineptness, delays, and lack of communication on the topic, Tian says he approached 9to5Mac with the story and quickly discovered the power of public relations: Apple's engineers came up with a temporary fix within 48 hours of the publication contacting Apple PR with the story. The provisional fix — disabling the ability for people to send HomeKit messages to others — was enacted on December 7th, six weeks after the vulnerability was initially reported. The real HomeKit fix was released via software update a few days later.
"No wonder nowadays people just throw security issues on Twitter right?" laments Tian. "What a world we live in."