HomeKit security hole placed smart homes at risk — and Apple ignored it for 6 weeks

 

Apple reportedly ignored a vulnerability within its HomeKit smart home platform that enabled it to be easily hijacked by anyone with an Apple Watch.

The startling flaw in certain versions of watchOS 4 made it possible for unauthorised users to trigger HomeKit devices like locks, doors, cameras and smart plugs.

Developer Khaos Tian, who discovered the bug in October, says Apple would share the lists of HomeKit accessories and their encryption keys over insecure sessions with watchOS 4.0 or 4.1.

Related: Apple Home and HomeKit review

After gaining the information, an attacker with an Apple Watch could take full control of the tech without Apple checking whether they had authorised access.

In a post on Medium (via Engadget), the developer explains: “With those unique identifiers, remote attacker can ask HomeKit to do almost anything.”

“Normally it should be impossible for anyone to figure out the unique identifier for those objects unless you are actually authorized to access that home in HomeKit.

“However, there are two separate bugs, one in watchOS 4 – 4.1, and another in iOS 11.2 and watchOS 4.2, allow someone to figure out those unique identifiers without authorizing the person to access the home in first place.”

The developer, who is presumably writing under a pseudonym, says he immediately reported the flaw to Apple back in October.

Six weeks later

However, despite knowing of its existence, the company released watchOS 4.2 and iOS 11.2 with the security exploit still in place, widening the issue.

Apple finally rolled out a fix on December 13, with iOS 11.2.1, meaning it was in play for six weeks before Cupertino did anything about it.

Considering Apple has long claimed HomeKit was “designed with privacy and security from the very beginning,” this is an embarrassing and concerning development.

Tian even said he had more success in getting a response when the Apple blog 9to5Mac contacted Apple’s PR team on his behalf.

“I guess that’s how product security works now? I have to know someone to get my security issue handled properly?” he quipped.

Has this incident damaged your faith in Apple’s home automation platform? Drop us a line @TrustedReviews on Twitter.