Zero-Day iOS HomeKit Vulnerability Allowed Remote Access to Smart Accessories Including Locks

Zac Hall, reporting for 9to5Mac:

A HomeKit vulnerability in the current version of iOS 11.2 has been demonstrated to 9to5Mac that allows unauthorized control of accessories including smart locks and garage door openers. Our understanding is Apple has rolled out a server-side fix that now prevent unauthorized access from occurring while limiting some functionality, and an update to iOS 11.2 coming next week will restore that full functionality.

The vulnerability, which we won’t describe in detail and was difficult to reproduce, allowed unauthorized control of HomeKit-connected accessories including smart lights, thermostats, and plugs.

The most serious ramification of this vulnerability prior to the fix is unauthorized remote control of smart locks and connected garage door openers, the former of which was demonstrated to 9to5Mac.

Fast response from Apple, but this kind of story spooks me from installing smart locks. I realize that’s not entirely rational — good old fashioned dumb locks are susceptible to lock-picking — but something about hooking up the locks to my house to the internet just doesn’t feel right.

Friday, 8 December 2017