Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

HomeKit flaw in iOS 11.2 allowed remote access to smart devices, temporary fix already in place

Last updated

Apple's software woes continued this week with the publication of a HomeKit flaw that allowed remote access to smart home devices like locks and lights. The company has since issued a temporary patch by disabling remote access to shared users, and plans to permanently plug the hole in a software update next week.

Demonstrated to 9to5Mac by an unnamed source, the HomeKit vulnerability granted unauthorized access to internet-connected devices controlled by Apple's smart home platform.

The process, which was not detailed in today's report, is said to be difficult to reproduce. However, unlike recent Apple software bugs, a HomeKit flaw presents a tangible real-world security threat to users who have smart door locks and garage door openers installed in their home.

Fortunately, Apple has implemented a temporary fix by disabling remote HomeKit access to certain users.

"The issue affecting HomeKit users running iOS 11.2 has been fixed. The fix temporarily disables remote access to shared users, which will be restored in a software update early next week," Apple said in a statement.

The report claims Apple was made aware of the vulnerability in late October, and says some issues were fixed as part of the recently released iOS 11.2 and watchOS 4.2 updates. Apple patched other holes related to the HomeKit flaw server-side, the report said.

Today's revelations come on the heels of an embarrassing week for Apple software. Last Tuesday, media outlets glommed on to a glaring macOS High Sierra flaw that provided root system administrator access without first requiring a password. Apple pushed out a quick fix, but that patch broke file sharing for some users.

Later in the week, users discovered a date bug in iOS 11.1.2 that threw some devices into a continuous soft reset loop. The issue forced Apple to release iOS 11.2 early in an overnight update on Saturday.



31 Comments

lito_lupena 8 Years · 116 comments

maybe it’s best not to install any of apple’s latest software releases for the time being until they sort out all these errors? it seems like every other day there is news about a flaw in each of their os platforms — macOS, iOS, watchOS and tvOS.

Rayz2016 8 Years · 6957 comments

maybe it’s best not to install any of apple’s latest software releases for the time being until they sort out all these errors? it seems like every other day there is news about a flaw in each of their os platforms — macOS, iOS, watchOS and tvOS.

Mmmm. Not really. 

“Difficult to reproduce” sounds like it’s not something that’s going to cause a lot of problems, unlike the root thing. 

Besides, if you don’t install the software then how’re you going to get the fixes?

sergioz 12 Years · 338 comments

maybe it’s best not to install any of apple’s latest software releases for the time being until they sort out all these errors? it seems like every other day there is news about a flaw in each of their os platforms — macOS, iOS, watchOS and tvOS.

Better go hide under a rock and never come out!

gatorguy 13 Years · 24627 comments

Rayz2016 said:
maybe it’s best not to install any of apple’s latest software releases for the time being until they sort out all these errors? it seems like every other day there is news about a flaw in each of their os platforms — macOS, iOS, watchOS and tvOS.
Mmmm. Not really. 

“Difficult to reproduce” sounds like it’s not something that’s going to cause a lot of problems, unlike the root thing. 

Besides, if you don’t install the software then how’re you going to get the fixes?

Anyone who hadn't yet updated to 11.2 was unaffected anyway. Other point versions of iOS 11 are fine. 

focher 16 Years · 686 comments

According to the 9to5 article:

The vulnerability required at least one iPhone or iPad on iOS 11.2, the latest version of Apple’s mobile operating system, connected to the HomeKit user’s iCloud account; earlier versions of iOS were not affected.

Is that sentence correct? Because if it is, it seems to say that the bug requires a connection to the user's iCloud account. Or is that ANY iCloud account? Big difference.