On October 28, developer Khaos Tian discovered multiple bugs with Apple’s HomeKit which allowed unauthorized access to anyone connected with the service. The developer claimed that even though he made his concerns known to Apple on the same day, Apple didn’t fix the bug all through November, and that the subsequent iOS update only worsened things.
In a detailed Medium post, Tian details how the bug allows unauthorized access to the unique identifiers of a HomeKit device to practically anyone, effectively letting attackers breach through a device’s defenses without doing much.
The second, and perhaps the most concerning bug, allowed any person to send a command to the HomeKit, which the HomeKit would simply push through without confirming the user’s credentials. Given the fact that HomeKit comprises of some sensitive HomeKit accessories like smart locks and other peripherals, this was alarming for every user on Apple’s HomeKit ecosystem.
It’s extremely worrisome that Apple had full knowledge of the issue and didn’t do much for well over a month. Thankfully, these vulnerabilities have been fixed for good. Apple rectified the issue partially with a server side patch and fixed it completely in iOS 11.2.1.
Fortunately, Tian didn’t make details of the bug public until Apple had officially fixed it. This meant that no user or developer barring Tian had knowledge of this vulnerability. It is learnt that Apple’s security team asked the developer to remove some points from his original post detailing the bug, which is believed to be a standard security measure.