A zero-day vulnerability with Apple’s HomeKit exposed users’ smart door locks and garage-door openers to hackers, 9to5Mac reports. The serious security issues have already been fixed via a server-side patch by Apple, and an update to iOS 11.2 is coming in the near future to fix any broken functionality.
The site reports that a “HomeKit vulnerability in the current version of iOS 11.2 has been demonstrated to 9to5Mac that allows unauthorized control of accessories including smart locks and garage door openers.” It describes the bug as “difficult to reproduce,” but said that it potentially “allowed unauthorized control of HomeKit-connected accessories including smart lights, thermostats, and plugs.”
Users don’t need to run around unplugging all HomeKit-connected devices: 9to5Mac says that Apple has already deployed a server-side update that fixes the bug, which was in the HomeKit service, rather than the code on individual client devices.
The disclosure of another bad security flaw comes at a terrible time for Apple. Just last week, developers found a major flaw in macOS High Sierra that allowed anyone to gain root access to a locked Mac, using no advanced knowledge and seconds of physical access to the machine. That flaw was publicly disclosed while it was still live; in the case of this HomeKit bug, it seems that 9to5Mac kept it quiet until Apple had a chance to fix it.
In a comment to 9to5Mac, Apple said “the issue affecting HomeKit users running iOS 11.2 has been fixed. The fix temporarily disables remote access to shared users, which will be restored in a software update early next week.”
Although the exact nature of the bug hasn’t been disclosed, it sounds far more finnicky than the macOS High Sierra root bug. 9to5Mac said that “the vulnerability required at least one iPhone or iPad on iOS 11.2, the latest version of Apple’s mobile operating system, connected to the HomeKit user’s iCloud account,” which isn’t exactly easy. However, any security flaw that potentially gives a stranger access to your hack is bad news for Apple and the trustworthiness of smart home accessories in general.