Apple’s had a bad couple weeks of software issues, and its latest problem is a HomeKit vulnerability that apparently let hackers take control of a person’s smart home gadgets. 9to5Mac broke news of the exploit and seems to have nudged Apple into patching the bug immediately — Apple was reportedly told of the issue in late October.
The vulnerability required a hacker to have access to an iPhone or iPad on iOS 11.2 (the latest version of iOS) that was logged into their target’s iCloud account, according to the report. It’s unclear exactly what happened from there, but it sounds like the attacker was able to set up a shared HomeKit user without logging into the device. That would then give the person total control over any HomeKit gadgets their target’s iCloud account was hooked up to.
“The fix temporarily disables remote access to shared users.”
For obvious reasons, that could have been a real problem. If the hacker also had access to their target’s home, they might have been able to unlock a door and walk in.
While HomeKit now supports security cameras, Apple tells us that the bug didn’t allow an attacker to gain access to live video.
The capabilities and process of the exploit aren’t fully explained by 9to5Mac. It’s also unclear who discovered the issue, but the site reports that person informed Apple of the issue over a month ago. Some problems were reportedly fixed in iOS 11.2, but apparently not all of them, leading to this disclosure.
In a statement to 9to5Mac, Apple said it had resolved the problem with a server-side update. “The issue affecting HomeKit users running iOS 11.2 has been fixed,” the company wrote. “The fix temporarily disables remote access to shared users, which will be restored in a software update early next week.”
While it sounds like the bug was only a problem under fairly specific circumstances — an attacker needed physical possession of their target’s properly updated device — it’s still a surprising issue for what’s been touted as one of the most secure smart home systems. The flaw itself seems to have more to do with iOS’s handling of iCloud accounts than the actual HomeKit protocol, but the two are intertwined enough that the distinction doesn’t really matter.
Update December 8th, 4:33PM ET: This story has been updated with comment from Apple on security cameras.