Posted on 12/08/2017 1:09:39 PM PST by Swordmaker
A HomeKit vulnerability in the current version of iOS 11.2 has been demonstrated to 9to5Mac that allows unauthorized control of accessories including smart locks and garage door openers. Our understanding is Apple has rolled out a server-side fix that now prevent unauthorized access from occurring while limiting some functionality, and an update to iOS 11.2 coming next week will restore that full functionality.
The vulnerability, which we won’t describe in detail and was difficult to reproduce, allowed unauthorized control of HomeKit-connected accessories including smart lights, thermostats, and plugs.
The most serious ramification of this vulnerability prior to the fix is unauthorized remote control of smart locks and connected garage door openers, the former of which was demonstrated to 9to5Mac.
The issue was not with smart home products individually but instead with the HomeKit framework itself that connects products from various companies.
Users need to take no action today to resolve the issue as the fix that is rolling out is server-side. The future update to iOS coming next week will resolve any broken functionality.
The vulnerability required at least one iPhone or iPad on iOS 11.2, the latest version of Apple’s mobile operating system, connected to the HomeKit user’s iCloud account; earlier versions of iOS were not affected.
We also understand that Apple was informed about this and related vulnerabilities in late October, and some but not all issues were fixed as part of iOS 11.2 and watchOS 4.2 which were released this week. Other issues in this category were fixed server-side from Apple so end users needed to take no action.
Apple shared this statement with 9to5Mac regarding the issue:
“The issue affecting HomeKit users running iOS 11.2 has been fixed. The fix temporarily disables remote access to shared users, which will be restored in a software update early next week.”
We believe this vulnerability being brought to our attention has resulted in the solution being readied sooner than it otherwise would have been, and our readers deserve to know that the vulnerability existed. The severity of this vulnerability also imposes a responsibility on 9to5Mac as a publication to share what we know with our audience if we’re going to continue covering HomeKit and smart home products.
Does this vulnerability shipping mean you shouldn’t trust HomeKit or smart home products going forward? The reality is bugs in software happen. They always have and pending any breakthrough in software development methods, they likely always will. The same is true for physical hardware which can be flawed and need to be recalled. The difference is software can be fixed over-the-air without a full recall.
Trusting HomeKit and smart home products with your security, however, will have to be a personal decision now just like it always has. Personally, once this vulnerability has been patched, I believe I’ll be comfortable with trusting HomeKit security solutions to remain protected, but you can always use an old fashioned lock and key or install security cameras as a double measure.
I would also like to know — just like with the root security issue that affected the Mac last week — that the development process that led to this vulnerability shipping and the issue remaining live for weeks without users knowing is audited and changes are made if possible.
The bottom line is if a HomeKit connected lock or garage door opener knowingly can’t secure your home, customers shouldn’t be given the opportunity to test the risks associated with any known vulnerabilities.
Our hope in publicizing this specific vulnerability is that we may have a meaningful impact in improving the quality assurance and security audit processes so that HomeKit can be a better solution in the future and live up to its reputation as being the most secure smart home framework.
The latest Apple/Mac/iOS Pings can be found by searching Keyword "ApplePingList" on FreeRepublic's Search.
If you want on or off the Mac Ping List, Freepmail me
I don’t use Apple - so how does it do updates? Does it automatically download & install updates or can you choose to do download/install manually or ?
Apple has had a ton of iOS issues recently. I really think they need to slow down and stop releasing a new version every year, instead focusing on stabilizing the existing version. The only reason they release a completely new version every year is for marketing purposes.
Along the same line, I think Windows was fine a 7 - I won’t touch 10, among other things (mostly in the “phoning home” category), it does the auto-download. Too many settings to tweak to make it usable for my purposes.
Unless it’s there’s a change that’s really needed and there’s a big demand for it, an OS need not go to a new version.
Some Linux distros throw in a lot of bells and whistle programs that aren’t really necessary and it just bloats the OS. If users want a given bell or whistle, it’s easy enough to install themselves. But the main, popular distros are less hyper about putting out new versions.
The only, 100% certain way keeping your “Smart-Home” from being hacked, is by having a “Dumb-Home”.
Yup. When my Alarm company touted how I could access my home security system from my phone I told them in no uncertain terms they could either permanently disable that “feature” or I’d rip it out and find another alarm company.
We are on the same page my FRiend.
The only part of this I would worry about would be "smart locks." I don't think anyone would care about getting control of my lighting system, thermostat. or even my entertainment system (they wouldn't learn much about me). So, no smart locks on my houses.
I've had a BSR X-10 lighting system controlled by my computer since all the way back to the Commodore Vic-20 days. Only problem there was a neighbor installed one too and selected the same whole house code as I had (there were only 16 choices back then and they worked over the power lines.)
The last update before the latest update trashed my iPhone 6.
Rebooted itself every 2-3 minutes, dropped phone calls, all my alarms and reminders gone...
Pretty sure my next phone will be an Android.
L
Well, too bad about that. Of course, you won't have any problems when you get your Android's updates, since they don't get any updates. . . you'll just have problems with the over 5 million malware in the wild for the Android ecosystem. Good luck with that.
Dude, I make phone calls and check my emails. That’s about all I need from a phone.
My iPad does everything else. I certainly have no need for a $900 Phone.
L
And would it be too much to ask for Apple to actually test their updates before they push them out?
L
Now hackers can get into your home.
Scary.. No thanks!
They are tested, extensively. And they go through multiple public Beta testing too. But even that does not catch everything that can go wrong with the multitude of possible combinations of app combinations that are in the wild that can cause some unknown problem until it is the hands of millions of users with those combinations.
The fact is that 99.999% of iPhone users had ZERO problems with that update. You were in the 0.001% that had a problem and a subset of those user experienced something that caused a catastrophic failure. . . but when there are 1.2 BILLION iPhone users in the wild, even that small of percentage results in 1,200,000 users with a problem of some kind. Apple has to figure out exactly what is causing those small percentage of users that issue.
Public beta testers total about 200,000 to 250,000 iPhone users with all kinds of iPhones. . . Your three year old iPhone 6 was probably being tested by maybe 10,000 to 15,000 beta testers. . . but your mix of software? Probably no one. It only takes ONE misbehaving app to cause the problem.
Frankly, it could even be an Apple App that is broken only on your iPhone. Or it could take some specific combination of an App and a specific supplier's bad run of components. That was discovered in a run of iPhone 6s last year with a security update that caused problems with WIFI connections. The problem was a run of just slightly out of spec Qualcomm WIFI radios that worked fine with the original specced software but an update tightened the ranges . . . and then the WIFIs kept dropping connection due to the tighter specs because the radios were too "wobbly" on what they would do.
The fix was to have the software recognize that particular version of the radio and loosen the specs for those particular iPhones that had that run of Qualcomm radio in them. Problem solved for those users. . . but ALL iPhones of that model had to have the update so that all of those radios could be caught and fixed. It could ONLY be found when the update had been released into the wild.
hackers always could get into a house. Why do you think firemen carry axes?
Bingo!!
Zeus and Apollo (Magnum P.I.) for the Alarm System.
Smith & Wesson, Ruger, Remington or Glock for Takedown.
911, Cleanup, Row 27 and bring multiple body bags.
100%
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.