Windows 10 News and info | Forum
November 13, 2018, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Apple messed up again and this time itís your front door they left unlocked!  (Read 455 times)
Hero Member
Offline Offline

Gender: Male
United States United States

Posts: 29157

I Do Windows

WWW Email
« on: December 08, 2017, 01:49:39 AM »

Zero-day iOS HomeKit vulnerability allowed remote access to smart accessories including locks, fix rolling out

A HomeKit vulnerability in the current version of iOS 11.2 has been demonstrated to 9to5Mac that allows unauthorized control of accessories including smart locks and garage door openers. Our understanding is Apple has rolled out a server-side fix that now prevents unauthorized access from occurring while limiting some functionality, and an update to iOS 11.2 coming next week will restore that full functionality.

The vulnerability, which we wonít describe in detail and was difficult to reproduce, allowed unauthorized control of HomeKit-connected accessories including smart lights, thermostats, and plugs.

The most serious ramification of this vulnerability prior to the fix is unauthorized remote control of smart locks and connected garage door openers, the former of which was demonstrated to 9to5Mac.

The issue was not with smart home products individually but instead with the HomeKit framework itself that connects products from various companies.

Users need to take no action today to resolve the issue as the fix that is rolling out is server-side. The future update to iOS coming next week will resolve any broken functionality.

The vulnerability required at least one iPhone or iPad on iOS 11.2, the latest version of Appleís mobile operating system, connected to the HomeKit userís iCloud account; earlier versions of iOS were not affected.

We also understand that Apple was informed about this and related vulnerabilities in late October, and some but not all issues were fixed as part of iOS 11.2 and watchOS 4.2 which were released this week. Other issues in this category were fixed server-side from Apple so end users needed to take no action.

Apple shared this statement with 9to5Mac regarding the issue:

ďThe issue affecting HomeKit users running iOS 11.2 has been fixed. The fix temporarily disables remote access to shared users, which will be restored in a software update early next week.Ē

We believe this vulnerability being brought to our attention has resulted in the solution being readied sooner than it otherwise would have been, and our readers deserve to know that the vulnerability existed. The severity of this vulnerability also imposes a responsibility on 9to5Mac as a publication to share what we know with our audience if weíre going to continue covering HomeKit and smart home products.

Does this vulnerability shipping mean you shouldnít trust HomeKit or smart home products going forward? The reality is bugs in software happen. They always have and pending any breakthrough in software development methods, they likely always will. The same is true for physical hardware which can be flawed and need to be recalled. The difference is software can be fixed over-the-air without a full recall.

Trusting HomeKit and smart home products with your security, however, will have to be a personal decision now just like it always has. Personally, once this vulnerability has been patched, I believe Iíll be comfortable with trusting HomeKit security solutions to remain protected, but you can always use an old fashioned lock and key or install security cameras as a double measure.

I would also like to know ó just like with the root security issue that affected the Mac last week ó that the development process that led to this vulnerability shipping and the issue remaining live for weeks without users knowing is audited and changes are made if possible.

The bottom line is if a HomeKit connected lock or garage door opener knowingly canít secure your home, customers shouldnít be given the opportunity to test the risks associated with any known vulnerabilities.

Our hope in publicizing this specific vulnerability is that we may have a meaningful impact in improving the quality assurance and security audit processes so that HomeKit can be a better solution in the future and live up to its reputation as being the most secure smart home framework.

« Last Edit: December 08, 2017, 02:05:48 AM by javajolt » Logged

Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page October 28, 2018, 10:59:35 AM