Recently, Apple released iOS 11.2 to the public, and while the new software brings new features to the fore, it also adds some important security fixes.
According to a statement provided to 9to5Mac by Apple, a zero-day vulnerability tied to HomeKit has been patched in the most recent release of iOS 11.2. The issue itself was tied to the HomeKit framework and not individual HomeKit-supported devices. As a result, Apple was able to patch the vulnerability on the server-side directly.
“The issue affecting HomeKit users running iOS 11.2 has been fixed. The fix temporarily disables remote access to shared users, which will be restored in a software update early next week.”
The company said that the vulnerability was hard to reproduce, but, as part of the patch, the company has disabled remote access for shared users. While Apple admits that the feature has been disabled for now, it is quick to point out that support fo remote access and shared users will return in a subsequent software update that should arrive “early next week.”
Apple was apparently made aware of the vulnerability back in October of this year, but, as mentioned above, apparently they had trouble reproducing it themselves. The patch is not only included with the release of iOS 11.2, but also the launch of watchOS 4.2, which also arrived earlier this week.
Apple has had a rough go of it recently when it comes to software vulnerabilities. This latest one, which could effectively allow unauthorized access to your home through a smart, HomeKit-enabled door lock, is certainly big enough to warrant attention. And before this, a root access vulnerability in macOS made it so that physical access to a Mac could let someone log into, and make changes at the root level, without actually needing a password.
Apple has been quick to fix the biggest issues, and it’s good that this one was fixed now — but a turnaround between October and now is pretty wide.
Do you have any HomeKit devices in your home?