Developer says now-fixed Apple HomeKit vulnerability was temporarily worsened in iOS 11.2

article thumbnail

Though Apple ultimately solved the issue with iOS 11.2.1 and tvOS 11.2.1, a HomeKit vulnerability discovered in October was simply made more severe in iOS 11.2, according to one developer.

The developer, going by "Khaos Tian," said on Medium that he first discovered the flaw in Apple Watches with watchOS 4.0 or 4.1, which potentially gave someone control of any HomeKit accessory due to insecure data sharing. He reported the issue to Apple Product Security in late October, but the company — including Software Engineering VP Craig Federighi — is said to have ignored follow-up emails after saying it would investigate.

iOS 11.2 actually expanded the reach of the problem, letting iPhone and iPad owners sniff out HomeKit data without a Watch.

Tian ended up publicizing the matter by contacting 9to5Mac, which in turn talked to Apple PR. That led to Apple's short-term fix, disabling remote access by shared users, before iOS 11.2.1 and tvOS 11.2.1 went live on Dec. 13.

Apple ordinarily prides itself on the security of HomeKit, which uses heavy encryption. In fact the demands of authentication are one reason many HomeKit accessories require a separate hub, and why some early products were slow to respond to commands.


Latest News