IOS HomeKit bug exposed smart locks to unauthorized access

Remigio Civitarese
Dicembre 8, 2017

A zero-day vulnerability refers to a flaw in a piece of software that was unknown to the developer at the time the software was shipped. 9to5Mac said that "the vulnerability required at least one iPhone or iPad on iOS 11.2, the latest version of Apple's mobile operating system, connected to the HomeKit user's iCloud account", which isn't exactly easy.

Details on how the vulnerability can be exploited were not released as the bug is still potentially exploitable. It's an iOS 11.2 bug that Apple has already fixed via a server patch, and an update to iOS 11.2 will come next week that fixes the other end of the bug on iOS devices (via 9To5Mac).

The issue didn't involve smart home products but instead the HomeKit framework itself.

Apple has another security issue to deal with.

Apple will be pushing a more permanent fix with iOS 11.2 next week which should restore full functionality and correct the issue. The fix temporarily disables remote access to shared users, which will be restored in a software update early next week. This issue follows a High Sierra bug discovered last month that allowed users to gain admin access without a password.

The tvOS and watchOS updates were released on December 4 and 5, respectively, and contain the same fixes: for the aforementioned kernel bugs and a memory corruption issue in IOSurface, which could have allowed a malicious application to execute arbitrary code with kernel privileges. If an attacker can unlock their home through the app or do damage by adjusting thermostats or turning on appliances, users may have second thoughts about connecting those devices.

Altre relazioniGrafFiotech

Discuti questo articolo

Segui i nostri GIORNALE