December 22, 2024
HomeKit Vulnerability Allows Unauthorized Remote Access to Smart Accessories, Apple Issues Temporary Fix

HomeKit Vulnerability Allows Unauthorized Remote Access to Smart Accessories, Apple Issues Temporary Fix

Posted December 7, 2017 at 11:57pm by iClarified
A zero-day Apple HomeKit vulnerability has been discovered that allows unauthorized remote access to smart accessories. The attack, demonstrated to 9to5Mac, allowed access to smart locks, garage openers, and more.

The vulnerability, which we won’t describe in detail and was difficult to reproduce, allowed unauthorized control of HomeKit-connected accessories including smart lights, thermostats, and plugs. The most serious ramification of this vulnerability prior to the fix is unauthorized remote control of smart locks and connected garage door openers, the former of which was demonstrated to 9to5Mac.

The vulnerability reportedly requires at least one iPhone or iPad running iOS 11.2 connected to the HomeKit user's iCloud account. Apple was apparently informed about this and related vulnerabilities in late October; however, not all issues were fixed by the time iOS 11.2 and watchOS 4.2 were released.


Apple says it has issued a temporary server side fix until an upcoming software update:

“The issue affecting HomeKit users running iOS 11.2 has been fixed. The fix temporarily disables remote access to shared users, which will be restored in a software update early next week.”

9to5Mac believes their learning of the vulnerability has resulted in Apple providing a fix earlier than it would have otherwise.

We believe this vulnerability being brought to our attention has resulted in the solution being readied sooner than it otherwise would have been, and our readers deserve to know that the vulnerability existed. The severity of this vulnerability also imposes a responsibility on 9to5Mac as a publication to share what we know with our audience if we’re going to continue covering HomeKit and smart home products.


This vulnerability comes after a major bug was discovered in macOS High Sierra that allowed anyone to log in as root without a password and date bug in iOS 11 that caused iPhones to crash starting December 2nd.

Please follow iClarified on Twitter, Facebook, or RSS for updates.

Read More


HomeKit Vulnerability Allows Unauthorized Remote Access to Smart Accessories, Apple Issues Temporary Fix
Add Comment
Would you like to be notified when someone replies or adds a new comment?
Yes (All Threads)
Yes (This Thread Only)
No
iClarified Icon
Notifications
Would you like to be notified when we post a new Apple news article or tutorial?
Yes
No
Comments (2)
You must login or register to add a comment...
waheb09
waheb09 - December 8, 2017 at 3:25am
And the title of "The shittiest iOS ever made" goes to: iOS 11
lemon4611
lemon4611 - December 9, 2017 at 1:34am
I don't know, High Sierra is a perfect abortion. Either way Apple is in a security tailspin.
Recent. Read the latest Apple News.
RECENT
Tutorials. Help is here.
TUTORIALS
Where to Download macOS Sequoia
Where to Download macOS Ventura
AppleTV Firmware Download Locations
Where To Download iPad Firmware Files From
Where To Download iPhone Firmware Files From
Deals. Save on Apple devices and accessories.
DEALS