Skip to main content

Developer details Apple HomeKit vulnerability that left locks and cameras open for a month

More affordable Apple devices make more convenient HomeKit smart home controllers.
More affordable Apple devices make more convenient HomeKit smart home controllers.
Image Credit: Apple

Opening your garage door with an Apple Watch? If you’re the one opening the door via HomeKit, that’s pretty cool. But what if a stranger can also access your home? Not so cool.

Back in October, a developer discovered that exact vulnerability in Apple’s HomeKit home automation platform, which launched with the claim that it was “designed with privacy and security from the very beginning,” requiring brand-new accessories with Apple-approved security components. After a month of frustrating attempts to get Apple to fix HomeKit’s security hole, the developer took to Medium to discuss the issue, as well as his concerns about Apple’s “ignorance on security” and dangerously slow response protocols.

Writing under the name “Khaos Tian,” the developer says that HomeKit would readily share lists of both HomeKit accessories and encryption keys over insecure sessions with Apple Watches running watchOS 4.0 or 4.1. With those formerly top secret details in hand, the attacker could act like the home’s owner, controlling every HomeKit accessory from door locks to IP cameras and light switches — whatever had been trusted to Apple’s system.

Tian says that he quickly reported the issue to Apple Product Security. But rather than fixing it, Apple engineers actually widened the security hole with the releases of iOS 11.2 and watchOS 4.2. At that point, both Apple Watches and unauthorized iOS 11.2 devices could receive the sensitive HomeKit information, broadening the array of potential attacks. Concerned about the issue, Tian attempted to follow up with Apple by emailing at the beginning, middle, and end of November, but received no response after an initial October reply that the company would be looking into the problem.

VB Event

The AI Impact Tour – Atlanta

Continuing our tour, we’re headed to Atlanta for the AI Impact Tour stop on April 10th. This exclusive, invite-only event, in partnership with Microsoft, will feature discussions on how generative AI is transforming the security workforce. Space is limited, so request an invite today.
Request an invite

“Since they won’t reply to my emails and they made the situation worse in latest release,” said Tian, “I wasn’t really sure what to do next. I asked around and lucky someone was able to poke a person they know working at product security team, and finally I was able to get a email reply from the team. I guess that’s how product security works now? I have to know someone to get my security issue handled properly?”

The developer blames a “macOS root level” ignorance of security for the initial problem, and Apple’s lack of a sense of urgency for leaving such a major home security issue unresolved for such a long time. After a month had passed without follow-up — during which the supposedly “secure” HomeKit gear remained compromised — Tien contacted Apple site 9to5Mac, hoping some publicity would pressure Apple to issue a fix. 9to5Mac privately contacted Apple’s public relations team, then waited to report the breach until Apple was ready to announce that it had implemented a temporary fix.

Ironically, Tian says that Apple PR — not generally known for its responsiveness — was “much more responsive than” the Apple Product Security team. “No wonder nowadays people just throw security issues on Twitter right?,” said Tian, “What a world we live in.” It took until December 13, a month and a half after initial disclosure, for the issue to be fully remedied with iOS 11.2.1.

It’s worth underscoring that Apple’s original pitch for a new HomeKit product ecosystem suggested that it was necessarily incompatible with established home automation products because it was better: engineered to be more private and secure. Just like several prior Apple accessory initiatives (the 30-pin Dock Connector, Lightning Connector, and AirPlay speakers) eliminated compatibility, Apple locked out previously released smart thermostats, locks, and light switches, requiring users to purchase new accessories with extra-secure Apple-approved components. HomeKit was sold on the premise that you could trust your home to Apple — and perhaps not other companies (read: Google) that weren’t as concerned with your privacy.

Tian’s conclusion? Despite his initial excitement for HomeKit’s promised security and privacy back in 2014, he warns users to “be vigilant when someone make[s] the promise that something is secure.” All it takes is a mismatch between hardware and software engineers to cause “a complete[] security breakdown of the entire system.”

VB Daily - get the latest in your inbox

Thanks for subscribing. Check out more VB newsletters here.

An error occured.