Security Flaw in iOS 11 Update

A short while ago, we discussed smart home hubs Google Home and Amazon Echo, and the ways in which they can make up the central nervous system of your smart home. With the ability to connect to a whole host of different ‘connected’ devices, these hubs give you the potential to control your lighting, kitchen appliances, and even front door locks.

As well as connecting to these home hubs, smart devices can also talk to your Apple iPhone and Android phone. In their efforts to ensure that smartphone devices support the ‘internet of things’, the collective name for all connected devices, Google and Apple continue to release updates to their device software that facilitate connection and control over smart home devices. For Apple iPhones and iPads, this is made possible through a piece of software called HomeKit.

Apple's latest iOS 11 update hasn't been around for a great deal of time, and recently, the smartphone giant rolled out version 11.2. Unfortunately, with this update they have also released a zero-day vulnerability within the HomeKit software that could put your smart home devices – and personal home security – at risk.

What is the security risk?

To give you some context, Apple’s HomeKit software allows you to set up shortcuts to all the connected smart home devices that you choose to associate with the account. After setting up your devices, you can control all of them from your iPhone or iPad, providing the device is running HomeKit. This means that if you have a smart front door lock, you can literally lock and unlock the device with a tap of the finger. Giving an unauthorised user access to this software would be akin to handing a criminal a copy of your front door key.

Tech blog ‘9to5 Mac’ recently found a difficult-to-reproduce, yet just as concerning method that allowed them to gain unauthorised access to smart home devices that included thermostats, lights and plug sockets, when these devices were connected to Apple’s HomeKit software. The most worrying discovery was that this control extended to more critical devices, including garage door openers and front door locks, providing they were linked to the software.

If a criminal were able to reproduce this issue, then it could potentially mean them gaining access to any connected locks without the need for a key, and thus your home.

Will Apple fix the problem?

Apple initially already released a fix on their own side to temporarily resolve the issue, whilst working on an official update for users to download. However, this server-side fix that they implemented also disabled some user functionality, such as the ability to add new user accounts to the HomeKit account registered on their devices, so it’s not ideal. Fortunately, that update is now available; iOS 11.2.2 fixes the issue, so we recommend getting up to date as soon as possible.

Should I be worried?

To be affected by the security hole in Apple's iOS software, you'd need to have at least one iPhone or iPad device running iOS version 11.2, and have that device connected to the HomeKit Apple software via the linked iCloud account. To be most at risk, you’d also need to have a smart lock or smart garage door opener connected to the HomeKit software.

Though smart home connectivity is becoming more and more popular, most users dabble in smart lighting or remote control over plug sockets. Front door locks require a larger effort to install and are pricier in terms of upfront investment. As a result, it’s probably unlikely that you’re in a position to be affected.

Still, this story once again raises the issue of responsibility that technology giants face as smart home devices continue to garner popularity. We’re sure it’s only a matter of time until you see the world’s first news story about a burglary committed using nothing but a hacked smartphone or tablet.

Get in touch

If you’d like to discuss smart home devices and how they can work in conjunction with your smartphones, you can give us a ring on 0808 123 2820. We can talk you through the setup and any associated risks.

Latest Articles

General January 09, 2017

The Microsoft Scam

The Microsoft Scam. Find out what it is and how to protect yourself.