Apple HomeKit Flaw Opens Smart Locks to Hacking

A Home Kit zero day has affected Apple customers


More precise details about the vulnerability weren't mentioned, but the original report said that it was "difficult to reproduce".

The "zero-day" or previously undiscovered vulnerability, first reported by 9to5Mac today, allowed unauthorized control of accessories such as smart locks and garage door openers.

The issue didn't involve smart home products but instead the HomeKit framework itself.

The bug affected those with at least one device on the iOS 11.2 connected to a HomeKit user's iCloud account, while those with earlier operating systems were not affected.

Such a security hole demonstrates how the spread of more smart and connected devices in the consumer and business technology world, thanks to the continued growth of the internet of things (IoT), can inject more potential cyber attack vectors into home and office networks.

Apple didn't immediately respond for comment. The fix temporarily disables remote access to shared users, which will be restored in a software update early next week. It's an iOS 11.2 bug that Apple has already fixed via a server patch, and an update to iOS 11.2 will come next week that fixes the other end of the bug on iOS devices (via 9To5Mac).

After last week's release of an out-of-cycle emergency fix for a critical macOS High Sierra bug that allowed easy root access, the macOS update released yesterday (December 6) carry fixes for 22 vulnerabilities.

The HomeKit bug probably isn't as serious.

"There isn't much of a security loss here, relatively speaking", he said in an email.

The list of products compatible with Apple HomeKit includes light switches, thermostats, doorbells and cameras, in addition to garage door openers and smart locks.

Latest News