TidBITS: Apple Releases iOS 11.2.1 and tvOS 11.2.1 to Fix HomeKit Vulnerability

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

TidBITS: Apple Releases iOS 11.2.1 and tvOS 11.2.1 to Fix HomeKit Vulnerability

TidBITS Articles
Apple Releases iOS 11.2.1 and tvOS 11.2.1 to Fix HomeKit Vulnerability

This article was just published by TidBITS and sent to you at your request.

Apple Releases iOS 11.2.1 and tvOS 11.2.1 to Fix HomeKit Vulnerability

By Josh Centers
http://tidbits.com/article/17685

After Zac Hall of 9to5Mac discovered a major HomeKit vulnerability, Apple fixed it on the server side, which had the unfortunate side effect of preventing you from granting remote access to your HomeKit devices to other users (see “HomeKit Vulnerability Discovered, Already Patched,” 8 December 2017). Now Apple has released iOS 11.2.1 and tvOS 11.2.1 to address the security flaw while continuing to allow remote access for shared users.


It makes sense that iOS and tvOS were updated together, since you can use an iPad, fourth-generation Apple TV, or Apple TV 4K as a HomeKit hub for remote access.

I was curious about the exact nature of the exploit because both Apple and 9to5Mac were intentionally vague. Steve Troughton-Smith revealed on Twitter that it allowed someone to activate a scene remotely with only an email address. As I explained in “A Prairie HomeKit Companion: Core Concepts” (3 November 2016), a scene in HomeKit is like a macro in that it does several things at once, like turn on a set of lights. If you had a HomeKit-enabled lock on your front door and a scene tied to it, an attacker could have unlocked your front door from across the globe!

You can obtain the iOS 11.2.1 update, which weighs in at 60.2 MB on the iPad Pro, either in Settings > General > Software Update or via iTunes. The HomeKit vulnerability was the only one addressed in the update. Likewise, you can install tvOS 11.2.1 by going to Settings > System > Software Updates. Again, the HomeKit vulnerability was the only one addressed in that update. If you don’t use HomeKit, there’s no reason we can see to install these updates.

As someone who has written extensively about HomeKit in my “A Prairie HomeKit Companion” series and touted its superior security over other home automation solutions, I’m disappointed but not terribly surprised. Vulnerabilities are practically inevitable. However, the good news is that because Apple is a responsible company, the problem was solved quickly and openly. That said, I’m still hesitant to secure my house with a HomeKit-enabled lock.

Post a comment

TidBITS members can unsubscribe from just-published articles at http://tidbits.com/subscriptions. TidBITS Talk readers will need to create a filter to delete these articles.

Article copyright © 2017 By Josh Centers . Reuse governed by Creative Commons License.




____________TidBITS Talk Participation Guidelines____________
Post only when you have something substantive to contribute.
Be polite and constructive, and comment on posts, not people.
Quote sparingly, if at all. We all read the previous message.
Start threads with a new message to [hidden email].
Read archives at: http://tidbits.com/pipermail/tidbits-talk/
Unsubscribe at: http://tidbits.com/mailman/options/tidbits-talk
____Mailing List Manners: http://tidbits.com/series/1141 ____