Apple fixes HomeKit bug that allowed remote unlocking of users’ doors

Security flaw in latest 11.2 software meant hackers could potentially gain remote control of lights, cameras and locks in smart homes

Apple has been forced to fix a security hole within its HomeKit smart home system that could have allowed hackers to unlock users' smart locks or other devices.

The bug within iOS 11.2 permitted unauthorised remote control of HomeKit-enabled devices. Such devices include smart lights, plugs and other gadgets, but also includes smart locks and garage door openers.

An Apple spokesperson said: “The issue affecting HomeKit users running iOS 11.2 has been fixed. The fix temporarily disables remote access to shared users, which will be restored in a software update early next week.”

The company said the temporary fixed was made server side, meaning that users do not have to do anything for it to take effect, but also that it breaks some functionality of the system.

READ MORE

The vulnerability, disclosed to 9to5Mac, required at least one iPad, iPhone or iPod Touch running the latest software version iOS 11.2 to have connected to the iCloud account associated with the HomeKit system. Previous versions of iOS appear not to have been affected. To exploit the bug the attackers would need to know the email address associated with the Apple ID of the homeowner and knowledge of how the system worked.

Experts said that while issues with smart-home systems such as this impact consumer confidence in smart locks and other security devices, traditional locks can also be easily undermined with traditional picking techniques.

The security bug is just the latest in a series of issues affecting Apple’s software on both its iPhone and Mac computers. Since November, iPhone and iPad users have been plagued with bugs affecting the autocorrect system, including issues typing the word “it” and the letter “I”, having it replaced with odd symbols.

Apple was also forced to apologise after a serious security flaw that allowed anyone to take control of a Mac running the latest version of macOS High Sierra with a blank password was revealed. The company rushed out a fix for the security bug, which then broke the file sharing system, which itself needed fixing in a later software update.

“We greatly regret this error and we apologise to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better,” Apple said at the time.

– Guardian News and Media 2017