Apple Fixes iOS 11.2 HomeKit Flaw; Allowed Unauthorized Remote Access to Homes
9to5Mac reports on an iOS 11.2 flaw which affected HomeKit, allowing unauthorized remote access to devices, as shown to the publication. Apple was informed of the HomeKit vulnerability (dating back to October) and fixed it server-side temporarily, with a full fix coming in an iOS update next week.
As per Zac Hall from 9to5Mac:
A HomeKit vulnerability in the current version of iOS 11.2 has been demonstrated to 9to5Mac that allows unauthorized control of accessories including smart locks and garage door openers. Our understanding is Apple has rolled out a server-side fix that now prevent unauthorized access from occurring while limiting some functionality, and an update to iOS 11.2 coming next week will restore that full functionality.
The issue was with the HomeKit framework and not individual smart home products. The exploit required an iPhone or iPad iOS 11.2, while connected to a user’s iCloud account. Specific details of the vulnerability was not shared, but 9to5Mac reported on the issue publicly only after hearing from Apple a fix had been in place.
The iPhone maker said in a statement, “The issue affecting HomeKit users running iOS 11.2 has been fixed. The fix temporarily disables remote access to shared users, which will be restored in a software update early next week.”