Apple said it has fixed an undisclosed vulnerability in its HomeKit framework that could have allowed unauthorized remote control of HomeKit devices such as smart locks and connected garage door openers.
The flaw was first reported by the publication 9to5Mac on Thursday. According to the publication, the vulnerability requires an iPhone or iPad running the latest iOS 11.2 that is linked to the HomeKit user’s iCloud account.
The write-up on the vulnerability is vague and does not state what the specific vulnerability is, only that it was demonstrated to the publication and that it is complex to exploit.
HomeKit is Apple’s software framework for smart-home appliances that lets iPhone and iPads users communicate with and control dozens of compatible third-party HomeKit-enabled devices.
Apple said in a statement:
“The issue affecting HomeKit users running iOS 11.2 has been fixed. The fix temporarily disables remote access to shared users, which will be restored in a software update early next week.”
According to the publication, the temporary fix disables the server-side remote access component of HomeKit used to share access to other users.
“We also understand that Apple was informed about this and related vulnerabilities in late October, and some but not all issues were fixed as part of iOS 11.2 and watchOS 4.2 which were released this week,” reported 9to5Mac.
This isn’t the first issue Apple has had with iOS 11, released in September. There have been several subsequent updates to the iOS that addressed an autocorrect bug, the KRACK vulnerability and fixes for a slew OF regular maintenance updates. The iOS 11.2 update, released last week, addressed multiple memory corruption issues and a restart bug that caused some iOS devices to unexpectedly restart, according to Apple.
None of the issues are as severe as the security flaw in macOS High Sierra operating system found last month that allowed admin access to computers simply by putting “root” in the user name field.
The Apple HomeKit fix come as more pressure is put on IoT device makers to focus on shoring up device security and reliability. It’s also not the first time a keyless door system has caused owners headaches.
In May, the New York Attorney General Eric Schneiderman settled with Safetech Products over the sale of insecure Bluetooth door and padlocks. The issue was tied to Safetech sending clear text passwords via Bluetooth between the locks and the user’s smartphone. A botched wireless update for a remotely accessible smart lock system made by LockState accidentally bricked hundreds of locks in August. And last year, SecuRing warned a growing number of Bluetooth devices used for keyless entry and mobile point-of-sales systems are vulnerable to man-in-the-middle attacks.
9to5Mac reports the vulnerability is not related to any specific HomeKit product, but instead the framework.