iOS 11.2 has been out in the wild now for a month so you’d expect most of the critical bugs and issues to have surfaced by now. Well, most of them have but that does still leave room for some undiscovered problem. Unfortunately, that was indeed the somewhat frightening case that HomeKit users with smart locks may have been blissfully unaware of. It turns out that iOS 11.2 brought with it a vulnerability that allowed unauthorized persons to unlock doors and garages remotely via Apple’ smart home platform.
9to5Mac, how broke the news after receiving the information, doesn’t go into detail on how the vulnerability works. It just assures readers that it was a difficult process. That said, it was obviously not too difficult, otherwise, they wouldn’t have raised the alarm. Fortunately, it only happens under a specific set of conditions, including an iOS 11.2 device connected to HomeKit via iCloud.
There’s no reason to panic now, the publication assures. Apple has made a temporary fix on the server side to prevent exploiting this bug. Specifically, it has disabled remote access to shared users on HomeKit. That feature will be returned once an actual fix for iOS 11.2 devices rolls out next week.
While the fire has fortunately been put out quickly, it does raise doubts about HomeKit and the whole smart home security idea in general. Software bugs are commonplace, but bugs that could lead to life-threatening situations are unacceptable.
What makes the matter worse is that the vulnerability has been open for weeks before someone chanced upon it. Hopefully it has burned Apple enough that it will be more vigilant over such security holes in the future.