iOS HomeKit Flaw Allows Remote Control of Connected Smart Things

A recently discovered vulnerability in Apple’s HomeKit framework that allows home network smart devices to be managed could enable remote attackers to take them over. Affecting all smart accessories, from smart locks to garage door openers and smart light bulbs, the vulnerability is in iOS 11.2, but not previous versions.

The vulnerability is not tied to a specific IoT device, but in all smart things using Apple’s HomeKit framework, significantly increasing the attack surface for cybercriminals.

While the proof-of-concept attack is allegedly somewhat difficult to perform, the vulnerability is nonetheless serious and cybercriminals could potentially use it in real-world attacks. For this reason alone, particular details of how the issue is exploited have been kept under wraps until the matter is resolved.

Apple has already released a service-side fix that disables remote access to shared users, claiming the feature will come back again once a full patch is pushed through iOS to completely address the issue.

“The issue affecting HomeKit users running iOS 11.2 has been fixed,” according to an Apple statement. “The fix temporarily disables remote access to shared users, which will be restored in a software update early next week.”

The chances hackers will exploit the vulnerability in the coming week – as Apple claims to push an update by then – are very slim, and the average user can still rest assured, because the server-side quick fix should prevent any wrongdoings.

Vulnerabilities in IoTs have been regularly reported by security researchers, but not all manufacturers have a fast and reliable procedure for addressing and issuing security fixes. Since installing a security solution on IoTs is not an option, users need to turn to a home network security solution that has the capabilities of securing all internet-connected devices, regardless of their type and function.

Add Comment

Your email address will not be published. Required fields are marked *