Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission. Learn more.

HomeKit security hole placed smart homes at risk — and Apple ignored it for 6 weeks


Apple reportedly ignored a vulnerability within its HomeKit smart home platform that enabled it to be easily hijacked by anyone with an Apple Watch.

The startling flaw in certain versions of watchOS 4 made it possible for unauthorised users to trigger HomeKit devices like locks, doors, cameras and smart plugs.

Developer Khaos Tian, who discovered the bug in October, says Apple would share the lists of HomeKit accessories and their encryption keys over insecure sessions with watchOS 4.0 or 4.1.

Related: Apple Home and HomeKit review

After gaining the information, an attacker with an Apple Watch could take full control of the tech without Apple checking whether they had authorised access.

In a post on Medium (via Engadget), the developer explains: “With those unique identifiers, remote attacker can ask HomeKit to do almost anything.”

“Normally it should be impossible for anyone to figure out the unique identifier for those objects unless you are actually authorized to access that home in HomeKit.

“However, there are two separate bugs, one in watchOS 4 – 4.1, and another in iOS 11.2 and watchOS 4.2, allow someone to figure out those unique identifiers without authorizing the person to access the home in first place.”

The developer, who is presumably writing under a pseudonym, says he immediately reported the flaw to Apple back in October.

Six weeks later

However, despite knowing of its existence, the company released watchOS 4.2 and iOS 11.2 with the security exploit still in place, widening the issue.

Apple finally rolled out a fix on December 13, with iOS 11.2.1, meaning it was in play for six weeks before Cupertino did anything about it.

Considering Apple has long claimed HomeKit was “designed with privacy and security from the very beginning,” this is an embarrassing and concerning development.

Tian even said he had more success in getting a response when the Apple blog 9to5Mac contacted Apple’s PR team on his behalf.

“I guess that’s how product security works now? I have to know someone to get my security issue handled properly?” he quipped.

Has this incident damaged your faith in Apple’s home automation platform? Drop us a line @TrustedReviews on Twitter.

Why trust our journalism?

Founded in 2003, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have millions of users a month from around the world, and assess more than 1,000 products a year.

author icon

Editorial independence

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

author icon

Professional conduct

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.