Apple Patches Potentially Serious Vulnerability in HomeKit with iOS 11.2.1
In a world filled with “Internet of Things” (IoT) devices, there are security holes everywhere. Apple works hard on the hardened nature of its HomeKit system and the way these third-party devices interface with Apple products. So when news broke in early December that someone had uncovered a zero-day exploit that could allow an attacker to take control of a user’s devices through the Home app, it made headlines across the web.
Though the exact details of the exploit were not released publicly and were described as tough to replicate, this was a potentially serious vulnerability that remained live in iOS 11.2 for weeks after its release. A successful attacker would have been able to gain control over the Home app, and with it, the ability to send commands to any of a user’s connected HomeKit devices—including smart locks, garage doors, and more — a major inroad into a victim’s life.
The exploit was privately reported to Apple before its public announcement. Apple’s immediate response was to disable remote connectivity altogether, preventing the exploit from being possible at all. Now, Apple has rolled out iOS 11.2.1 alongside an update to tvOS that closes this loophole altogether. Users who employ HomeKit should immediately upgrade to this latest version to remain protected, even though the threat of an attack is very low.
Apple’s speedy response is a sign of its commitment to the integrity of the HomeKit platform, but it also demonstrates that no one is infallible. Even Apple experiences bugs and inadvertent errors from time to time. While HomeKit remains secure and safe to use, it is worth remembering that there are always some security trade-offs to consider when using IoT devices.