Naked Security Naked Security

Apple plugs IoT HomeKit hole

Apple just can’t seem to get away from the theme of security flaws right now.

Apple just can’t seem to get away from the theme of security flaws right now.

Last month it was the macOS 10.13 root password issue, hot on the heels of the news that the iPhone’s X’s much-vaunted Face ID authentication could be bypassed using a prosthetic mask.

And it only seems fair to mention the small matter of the ‘show your password hint in encrypted APFS volumes’ issue macOS High Sierra users were told about in October.

Even Google’s Project Zero has got in on the act, publishing news of a jailbreaking proof-of-concept for iOS and macOS that seemed designed to draw attention to unexpected weaknesses in once-impregnable Apple software.

Now a researcher has discovered that Apple’s HomeKit Internet of Things (IoT) framework has a vulnerability serious enough to allow an attacker to control IoT devices using its protocol, such as thermostats, lights, power points, air conditioners, as well as smart home locks and garage door openers.

Who would secure their home with an IoT smart lock that can be disabled remotely? Probably nobody would. But the mere fact such a thing is even possible is a poor advert for the future of the smart home.

Apple has plugged the hole by temporarily disabling HomeKit’s shared remote users feature, which will be restored this week when iOS is updated.

In HomeKit’s defence, the vulnerability is described as being “difficult to reproduce,” but that won’t buy it much sympathy.

It’s clear that researchers are going after Apple in the same way as any big company.

As Naked Security has pointed out before, despite the embarrassing headlines, this is good news. If there’s one thing that’s worse than researchers tearing a company’s software open, it’s researchers not tearing it open until it’s too late.