A vulnerability in iOS HomeKit allowed unauthorized access to smart locks

According to an article by Zac Hall of 9to5Mac, a vulnerability in iOS 11.2 was found that allowed unauthorized access to smart devices such as locks, security cameras and garage doors if a user owned at least one Apple device on iOS 11.2 connected to the HomeKit user's iCloud account. Though Apple has thankfully created a fix that will prevent this unauthorized access at the cost of slightly limited functionality, Hall noted the seriousness of the vulnerability:

The vulnerability, which we won't describe in detail and was difficult to reproduce, allowed unauthorized control of HomeKit-connected accessories ... The most serious ramification of this vulnerability prior to the fix is unauthorized remote control of smart locks and connected garage door openers, the former of which was demonstrated to 9to5Mac.

Hall also clarified that the vulnerability had nothing to do with the smart home accessories themselves, but were instead an issue with Apple's HomeKit framework, and that since the fix is already being administered users will not have to take any additional steps to protect themselves at this time:

Users need to take no action today to resolve the issue as the fix that is rolling out is server-side. The future update to iOS coming next week will resolve any broken functionality.

Between now and next week's update, HomeKit-ers may notice that they aren't able to grant shared users remote access — not ideal for sure, but also not the worst price to pay to assure safety and security.

Though bugs like this can be extremely serious, they don't necessarily mean that you need to toss out all your automated home devices. As Hall points out in his piece, bugs are a part of software development and happen all the time. Even widely-released physical products can have flaws and need to be recalled for safety reasons, but that doesn't mean that you should stop using them altogether. In the end, choosing whether or not to use smart home products is always an individual decision, like choosing to use anything else. As long as you use them thoughtfully, you should be just fine:

Trusting HomeKit and smart home products with your security, however, will have to be a personal decision now just like it always has. Personally, once this vulnerability has been patched, I believe I'll be comfortable with trusting HomeKit security solutions to remain protected, but you can always use an old fashioned lock and key or install security cameras as a double measure.


If you have any questions regarding this vulnerability, you can check out Zac Hall's complete article here or ask us for help in the comments below.

Tory Foulk

Tory Foulk is a writer at Mobile Nations. She lives at the intersection of technology and sorcery and enjoys radio, bees, and houses in small towns. When she isn't working on articles, you'll likely find her listening to her favorite podcasts in a carefully curated blanket nest. You can follow her on Twitter at @tsfoulk.