Zeroday enabled use of HomeKit equipment without authorization

Apple recently patched a vulnerability that made it possible to control HomeKit equipment without the user’s authorization. This made it possible, among other things, to open smart locks and garage doors.

The operation of the zeroday has been explained to 9to5Mac. The website reached out to Apple to fix the leak before the article was published. The problem was with HomeKit’s framework, not specific HomeKit devices.

9to5Mac does not go into detail about how the zeroday works, but does indicate that it was difficult to reproduce. To take advantage of the vulnerability, at least one iPhone or iPad with iOS 11.2 must be connected to the HomeKit user’s iCloud account. The vulnerability does not occur on older iOS versions. The ability to provide remote access to shared users is temporarily disabled.

Apple was able to stop the leak by temporarily removing the ability to provide remote access to shared users. This feature will be added next week with a software update that will permanently close the leak.

The leak made it possible to control equipment connected to HomeKit. Such equipment includes smart lamps, sockets and thermostats, as well as security cameras and smart locks. This made it theoretically possible to use the zero day to physically break into a house.

Apple has lately been letting sloppy errors in its software more often. For example, last week it emerged that a password prompt in macOS High Sierra could be easily bypassed. In October it turned out that it was possible to show the password of an apfs volume in the place of the hint. In both cases, Apple quickly released an update that fixed the problem.