Apple issues fix for HomeKit vulnerability impacting smart locks and other devices

Apple says it’s issued a fix for an iOS security flaw that left key connect home hardware open to unauthorized third-party access. The bug, which was initially spotted by 9to5Mac, reportedly made it possible for an outside party to access things like smart locks and garage doors.

The company has since confirmed the existence of the bug with TechCrunch. “The issue affecting HomeKit users running iOS 11.2 has been fixed,” an Apple spokesperson said in a statement. “The fix temporarily disables remote access to shared users, which will be restored in a software update early next week.”

The fix appears to be server side update, meaning that the end-user doesn’t have to update anything for it to take effect. For the time being, it also means that users with 11.2  wont have all of the standard remote HomeKit functionality, until Apple rolls out something more permanent next week. Getting that functionality back will require updating to the latest version of iOS.

The initial report doesn’t detail the specifics of the exploit in its post, only noting that, “The vulnerability required at least one iPhone or iPad on iOS 11.2, the latest version of Apple’s mobile operating system, connected to the HomeKit user’s iCloud account.” It appears to be a difficult one to replicate and doesn’t impact earlier builds of the operating system. But it may highlight concerns around smart home functionality, as users connecting more pieces of their home to an ecosystem like HomeKit, Assistant or Alexa.

Bugs are part of any software solution, and Apple’s rushed to fix a couple of prominent ones on macOS and iOS in recent weeks. Like those, the company’s patched things up here with, hopefully, minimal inconvenience to the end user. But as always, it’s important to make a cost benefit analysis of a connected home offering to decide if it’s the right fit.

Leave a Reply