Apple patches HomeKit bug that left smart locks vulnerable


HomeKit devices
This isn't good.
Photo: Apple

A huge vulnerability within Apple’s HomeKit software has been discovered that potentially could have allowed attackers to gain access to smart accessories like locks and garage doors.

The zero-day vulnerability was reportedly patched by Apple within the last few days but certainly shows that HomeKit might be quite as secure as some users think.

News of the HomeKit bug was first reported by 9to5Mac, which says the problem proved difficult to reproduce. However, the flaw allowed unauthorized control of HomeKit-connected accessories like smart locks, lights and thermostats.

Apple’s software has suffered from a series of bugs lately. Despite the company’s “it just works” tagline, iOS and macOS have both been plagued by a number of bugs both simple and serious in recent months. Apple touts HomeKit as a way to securely control smart accessories, but any vulnerabilities could cause consumers to lose confidence in the platform if hackers can just unlock their doors remotely.

According to the report, the problem wasn’t with individual products but rather with Apple’s HomeKit home-automation framework itself. Apple was supposedly informed about the vulnerability back in October.

HomeKit users don’t have to do anything to fix the security flaw. A server-side fix is being rolled out, while an iOS update will come next week to fix any broken functionality.

“The issue affecting HomeKit users running iOS 11.2 has been fixed,” Apple said in a statement to 9to5Mac. “The fix temporarily disables remote access to shared users, which will be restored in a software update early next week.”


Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.