Zero-day Vulnerability In iOS HomeKit Allows Remote Access To IoT devices

Dec 10, 2017 | Uncategorized | 0 comments

A vulnerability in Apple HomeKit, which was introduced with iOS 11.2, makes it possible to control devices connected to the smart home service, such as smart door locks, even without entering credentials. As reported by 9to5Mac, Apple has already released a preliminary fix that prevents server-side unauthorized access.However, it also limits some legitimate features.

iOS HomeKit

The mistake is difficult to reproduce, the report says. It is necessary that at least one iPhone or iPad with iOS 11.2 is connected to the HomeKit framework or the iCloud account of the HomeKit user. Older versions of Apple’s mobile operating system are not affected.

Also read: Apple Reveals More Information On Its Autonomous Driving Project

Apple is said to have learned of this and other vulnerabilities in late October. Not all bugs have been corrected with iOS 11.2. Apple has also fixed some problems on the server side so that consumers would not have to do anything here. “The HomeKit user with iOS 11.2 issue has been fixed,” said an Apple spokesman. “Fix will temporarily disable access to shared users, which will be restored with a software update early next week.”

Also Read: Jony Ive Returns To Apple

9to5Mac assumes that Apple has now resolved the problem faster than originally planned after the blog was made aware of it. In addition, due to the severity of the vulnerability, it is obligated to make users aware of the bug – without, however, disclosing the present technical details. Apple had released iOS 11.2 late last week. It had been released deviating from the usual schedule to fix a bug in iOS 11.1.2 that crashes the Springboard interface on iOS devices on certain notifications. It also brought fixes to the pocket calculator’s sluggish key input, the still-on-going difficulty of retrieving Exchange mail, and calendar crashes.

Also Read: Apple Has Agreed To Pay Back Ireland

The HomeKit gap is likely to exacerbate the discussion about the quality of Apple’s software. Within days, the company had to admit that the admin account of macOS High Sierra 10.13.1 can be activated by entering the user ID “root” without a password and that a patch developed for this purpose by updating to High Sierra 10.13.2, is undone again. Even the date bug in iOS, which might make iPhones unusable, did nothing to restore the scratched confidence.

Source

let’s get connected

Have a Question?

If you have any questions or need to discuss about your project
Feel free to reach out to our friendly team.