Apple closes security hole in HomeKit

Spread the love

Apple has patched a security vulnerability in HomeKit. The leak made it possible to control HomeKit equipment without user authorization. This made it possible, among other things, to open smart locks and garage doors.

Initially, Apple disabled HomeKit functionality to prevent attackers from exploiting the vulnerability. As a result, users were temporarily unable to provide remote access to shared users. Now, with the release of iOS 11.2.1 and tvOS 11.2.1, there is a real fix for the vulnerability. The fix provides better input validation, eliminating the vulnerability.

The problem was with HomeKit’s framework, not specific HomeKit devices. To take advantage of the vulnerability, at least one iPhone or iPad with iOS 11.2 must be connected to the HomeKit user’s iCloud account. The vulnerability does not occur on older iOS versions. The ability to provide remote access to shared users is temporarily disabled.

The leak made it possible to control equipment connected to HomeKit. Such equipment includes smart lamps, sockets and thermostats, as well as security cameras and smart locks. This made it theoretically possible to use the zero day to physically break into a house.

You might also like