Apple Fixes iOS 11.2 Homekit Vulnerability

Adjust Comment Print

More precise details about the vulnerability weren't mentioned, but the original report said that it was "difficult to reproduce".

The vulnerability was only present in the latest build of iOS for the iPhone and iPad, version 11.2, and has now been temporarily fixed with a server-side update by Apple.

This time a flaw was discovered in Apple's smart home control system, HomeKit, leaving internet-connected door locks, garage door openers, lights and other gadgets open to attack.


The disclosure of another bad security flaw comes at a awful time for Apple.

Users won't have to install anything, but they will notice the "remote access to shared users" feature for their HomeKit devices has been temporarily disabled.

A new HomeKit zero day bug lets attackers remotely access and control your smart home devices.


The issue didn't involve smart home products but instead the HomeKit framework itself.

As a side note: this latest watchOS upgrade also provides peer-to-peer payment capability through Apple Pay, but it will only work on Apple Watch when the wearable is paired with an iPhone running iOS 11.2. Earlier iOS versions are free of the bug.

After last week's release of an out-of-cycle emergency fix for a critical macOS High Sierra bug that allowed easy root access, the macOS update released yesterday (December 6) carry fixes for 22 vulnerabilities. However, the fix does disable some of the HomeKit functionality for remote users, although the disruption to the service's functionality will be fixed in the future iOS update. The ability to hack a smart lock may sound worrisome, but traditional door locks can be picked too, noted Jeff Tang, a security researcher with Cylance.


Comments