HomeKit’s Stringent Security Requirements

Here’s a report by Aaron Tilley for Forbes, from July of last year:

It’s been more than a year since Apple announced HomeKit, its system for connecting smart home devices through iOS. And as with all things Apple, expectations are high. Maybe too high.

So far, only five companies have launched HomeKit-certified smart home devices. What’s the hold up? Apple has thrown a plethora of challenges at hardware makers, and some developers say one of the biggest is complying with Apple’s strict security requirements on Bluetooth low energy devices.

Apple allows for either WiFi or Bluetooth low energy (LE)-enabled devices to get certified as a HomeKit accessory. Apple is requiring device makers using both WiFi and Bluetooth LE to use complicated encryption with 3072-bit keys, as well as the super secure Curve25519, which is an elliptic curve used for digital signatures and exchanging encrypted keys.

“These security protocols are bleeding edge,” said Diogo Monica, a security lead at Docker and an IEEE security expert.

This story makes more sense today, given all the recent outages and attacks based on exploits of insecure “internet of things” devices.

Tuesday, 25 October 2016