Apple says it plans to fully resolve a vulnerability in HomeKit, its internet of things framework, that could have allowed an attacker to commandeer IoT accessories like smart locks and garage door openers, later this week.
The vulnerability, identified and disclosed last Thursday by daily Apple news site 9to5Mac. Apple reportedly fixed the vulnerability with a server-side fix last week but plans to update iOS 11.2 later this week to “resolve any broken functionality” the fix may have introduced.
It will be the ninth update iOS 11 has received since debuting in September. The company fixed the KRACK vulnerability - a flaw that could have let an attacker in range of a victim's WiFi network to read encrypted traffic - in iOS 11.1. The company fixed a glitch that plagued iOS' keyboard a week later with iOS 11.1.1. While it wasn’t malicious, the bug, which replaced the letter "I" and other vowels with "A[?]," was widely viewed as a nuisance by users.
According to 9to5Mac Apple was informed of the HomeKit vulnerability in late October but didn’t push a fix for the issue, along with other vulnerabilities, until iOS 11.2 and watchOS 4.2 were released four days ago.
The publication didn’t get into details around the vulnerability; it only said it was difficult to reproduce and in order to exploit it an attacker would need at least one device on iOS 11.2, connected to the HomeKit user's iCloud account. 9to5Mac hints the vulnerability could have granted full access to any smart home product that works with HomeKit but that the most dangerous outcome could be the remote control of smart locks and connected garage door openers.
HomeKit, released in 2014, allows Apple users to turn off their lights with Siri, turn up music on their HomePod, lock doors, control cameras, doorbells, humidifiers, and control a slew of other IoT devices.
In a statement provided to 9to5Mac and other publications last week the company said HomeKit users may have difficulties if they had remote access to shared users enabled, at least until the update arrives later this week:
“The issue affecting HomeKit users running iOS 11.2 has been fixed. The fix temporarily disables remote access to shared users, which will be restored in a software update early next week.”
It’s the second major security issue to affect Apple in the last two weeks. At the end of November the company was forced to issue an emergency software update to remediate a critical bug in macOS High Sierra, its latest operating system, that could have let anyone login to a machine as a root without a password.
