Last week, Apple fixed a huge security flaw in iOS 11.2.1 which affected HomeKit and allowed unauthorized remote access to devices. Today, developer Khaos Tian, who claims to have discovered the vulnerability back in October and quickly notified Apple about it, has explained how the bug actually worked while sharing his frustration at Apple’s failure to properly fix it (via 9to5Mac).
The developer said that although Apple was notified about the flaw in October, the issue remained live throughout November with the next iOS release making things even worse. He detailed how the vulnerability comprised of two issues.
First, it was possible for anyone to discover the unique identifier for a HomeKit device without any authorization. Second, when a non-authorized person sent a command to a HomeKit device, HomeKit simply allowed the command through without even verifying the sender. Fortunately for Apple, the vulnerability was not disclosed publicly until it had been fully patched in iOS 11.2.1
Those message mishandling issues were discovered back in late October, and was disclosed to Apple’s product security team the next day I found it (Oct 28). I got ONE email (on October 30) from Apple’s product security team saying they are investigating it through the entire November. During that time, I sent multiple emails (Oct 31, Nov 2, and Nov 16. Additionally there was one sent to Federighi on Nov 27.) to try to ensure the engineering team understood the issue but no reply at all.
I observed that Apple deployed the watchOS server fix so I assumed they just being typical Apple not replying people, so I thought the engineering team should have sufficient understanding of the issue and hoped they properly fixed the issue with iOS 11.2. But then iOS 11.2 officially released, while they did fix some issues in my report, they didn’t do a full security audit to ensure all messages are being handled properly, and instead they introduced a new message which makes the whole attack a lot easier.
For the lengthy technical explanation of the exploit, you can visit the developer’s original post at Medium.