Apple patches HomeKit flaw that let hackers unlock smart devices

Posted Dec 8, 2017 by James Walker
Apple's released a temporary patch for a serious security issue affecting its HomeKit IoT ecosystem. A security researcher discovered hackers could tamper with devices externally, allowing them to open smart locks and control other smart home components.
Apple store in Cupertino  California
Apple store in Cupertino, California
Justin Sullivan, Getty Images/AFP/File
The vulnerability was disclosed to Apple news site 9to5Mac by an unnamed source. While full details of the flaw haven't been disclosed, it has been confirmed it enabled "unauthorised remote control" of smart locks connected via Apple's HomeKit platform. This could allow thieves to enter while you're away from home.
Apple's understood to have moved to fix the bug with a temporary patch. 9to5Mac claimed the solution was implemented "sooner than it otherwise would have been," had the publication not been informed. Apple's applied a server-side fix which disables some functionality of HomeKit devices, closing the loophole.
HomeKit customers who use remote access with shared users will find the feature no longer works while Apple investigates the vulnerability. The capability is supposed to allow defined contacts to remotely control your HomeKit products over the Internet. A new version of iOS 11.2 will be issued "early next week" to permanently rectify the fault, at which point remote access should be turned back on.
READ NEXT: Qualcomm announces Snapdragon 845 chip for next year's phones
The problem provides another example of the ongoing security risks around the Internet of Things. With reputable hardware manufacturers like Apple still failing to keep devices secure, there are significant ramifications for the success of the ecosystem. As general consumer trust in IoT is still low, failure to keep doors safe from hackers could see homeowners abandon the smart home concept.
While bugs and security issues are a possibility in any software release, Apple's had a notably high number of serious incidents lately. In recent weeks, the company has had to deploy several critical patches for problems with its operating systems. A bug in macOS, which may have been exposed for months, allowed external users to bypass the password prompt by pressing enter twice. In fixing the problem, Apple then introduced further issues that impacted some users.
The incidents have led some security experts to suggest Apple audit its release procedures. 9to5Mac reiterated the calls for the company to assess how it deploys software. The string of security issues to impact its software could just be a case of bad luck or a sign of poor quality control in the company's internal processes. The latest vulnerability is said to have been live "for weeks" without Apple informing users or deploying a patch.