Latest in Security

Image credit:

Apple ignored a major HomeKit security flaw for six weeks

Locks, cameras and lights were open to attackers.
Rachel England, @rachel_england
December 21, 2017
Share
Tweet
Share

Sponsored Links

AOL

Apple's HomeKit home automation platform is sold on the basis of security, privacy and trust -- users had to buy brand-new accessories with Apple-approved security components just to get it up and running. But back in October a developer uncovered a huge vulnerability which essentially meant a stranger, with some basic tech know-how and an Apple Watch, could waltz right on in to your home. And Apple has only just fixed it.

Under the name "Khaos Tian", the developer writes on Medium that HomeKit was sharing data on HomeKit accessories and encryption keys over insecure sessions with Apple Watches running watchOS 4.0 or 4.1, which essentially gave control of every HomeKit accessory (locks, cameras, lights) to any unscrupulous Apple Watch wearer. Tian says he reported the issue to Apple Product Security, which somehow made the situation worse by widening the flaw so unauthorized iOS 11.2 devices could also receive the sensitive data. Basically, they went from leaving the keys in the front door, to leaving the front door wide open.

Despite repeatedly emailing Apple throughout November, Tian had no success in getting a response from the company, so resorted to contacting Apple site 9to5Mac, which contacted Apple's PR team on Tian's behalf. Worryingly, but perhaps not unsurprisingly, Tian writes that Apple PR were "much more responsive" than the Apple Product Security team. On December 13 -- some six weeks after Tian first flagged the vulnerability -- Apple remedied the issue with iOS 11.2.1.

HomeKit is sold on the bold claim that you can entirely trust your home to Apple. More so than any other company, in fact, since the system requires users to purchase "extra-secure" Apple-approved components. But as Tian writes, "be vigilant when someone make[s] the promise that something is secure", because as Apple demonstrates, it's not too difficult to cause "a complete security breakdown of the entire system". Apple has been contacted for comment.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

HAL 9000 replica's crowdfunding project goes bust

HAL 9000 replica's crowdfunding project goes bust

View
What we bought: Our favorite USB-C chargers

What we bought: Our favorite USB-C chargers

View
iPhone 12 teardown reveals how 5G has changed things

iPhone 12 teardown reveals how 5G has changed things

View
A massive spam attack is ruining public 'Among Us' games

A massive spam attack is ruining public 'Among Us' games

View
Get ready to raid 'Ghost of Tsushima' on October 30th

Get ready to raid 'Ghost of Tsushima' on October 30th

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr