A little more light has been shed on exactly what was happening with a recently-uncovered HomeKit vulnerability discovered in iOS and watchOS. The issue, which has been fixed, allowed potentially anyone to control HomeKit accessories without your authorization. Developer Khaos Tian has been able to perform a deep dive on exactly what happened and how the vulnerability worked.
Tian outlined the issues in a post on Medium:
In order for HomeKit to do something, the message needs to contain a unique identifier that identifies the object (accessory, scene, or room) in the home. Normally it should be impossible for anyone to figure out the unique identifier for those objects unless you are actually authorized to access that home in HomeKit. However, there are two separate bugs, one in watchOS 4 - 4.1, and another in iOS 11.2 and watchOS 4.2, allow someone to figure out those unique identifiers without authorizing the person to access the home in first place. With those unique identifiers, remote attacker can ask HomeKit to do almost anything.
Tian offers both (mostly) non-technical and deeply technical explanations of the issues at hand, while also detailing the process of talking about this issue with Apple security.
This vulnerability in HomeKit has been fixed, first in a server-side patch that temporarily disabled HomeKit sharing permissions, then with the release of iOS 11.2.1.