Zero-day iOS HomeKit flaw allowed remote access to IoT devices including door locks, garage door openers; fix rolling out

“A HomeKit vulnerability in the current version of iOS 11.2 has been demonstrated to 9to5Mac that allows unauthorized control of accessories including smart locks and garage door openers,” Zac Hall reports for 9to5Mac. “Our understanding is Apple has rolled out a server-side fix that now prevent unauthorized access from occurring while limiting some functionality, and an update to iOS 11.2 coming next week will restore that full functionality.”

“The vulnerability, which we won’t describe in detail and was difficult to reproduce, allowed unauthorized control of HomeKit-connected accessories including smart lights, thermostats, and plug,” Hall reports. “The most serious ramification of this vulnerability prior to the fix is unauthorized remote control of smart locks and connected garage door openers, the former of which was demonstrated to 9to5Mac.”

“The issue was not with smart home products individually but instead with the HomeKit framework itself that connects products from various companies,” Hall reports. “Users need to take no action today to resolve the issue as the fix that is rolling out is server-side. The future update to iOS coming next week will resolve any broken functionality.”

Read more in the full article here.

MacDailyNews Take: When you’re selling security, yet providing insecurity, something’s very broken inside Apple.

Of course, it’s not like we haven’t been warning of this for years:

Open letter to Tim Cook: Apple needs to do better – January 5, 2015

Apple on Mac flaw: ‘We apologize to all Mac users. Our customers deserve better. We are auditing our development processes.’ – November 29, 2017
Apple releases fix for macOS High Sierra administrator authentication bypass flaw – November 29, 2017
Tim Cook’s sloppy, unfocused Apple rushes to fix a major Mac security bug – November 29, 2017
What to do about Apple’s shameful Mac security flaw in macOS High Sierra – November 29, 2017
Apple’s late, delayed, limited HomePod is looking more and more like something I don’t want – November 27, 2017
Why Apple’s HomePod is three years behind Amazon’s Echo – November 21, 2017
Under ‘operations genius’ Tim Cook, product delays and other problems are no longer unusual for Apple – November 20, 2017
Apple delays HomePod release to early 2018 – November 17, 2017
Apple CEO Tim Cook: The ‘operations genius’ who never has enough products to sell at launch – October 23, 2017
Apple reveals HomePod smart home music speaker – June 5, 2017
Apple’s desperate Mac Pro damage control message hints at a confused, divided company – April 6, 2017
Apple is misplaying the hand Steve Jobs left them – November 30, 2016
Apple delays AirPod rollout – October 26, 2016
Apple delays release of watchOS 2 due to bug – September 16, 2015
Apple delays HomeKit launch until autumn – May 14, 2015
Apple delays production of 12.9-inch ‘iPad Pro’ in face of overwhelming iPhone 6/Plus demand – October 9, 2014
Tim Cook’s mea culpa: iMac launch should have been postponed – April 24, 2013

[Thanks to MacDailyNews Reader “Fred Mertz” for the heads up.]


  1. If Apple didn’t allow us to update iOS right on our phones and I had to hook it up to iTunes for all of these god forsaken updates, I’d have thrown my iPhone in the trash by now. But when you can just press a couple buttons and let it update for a few minutes while it’s in your pocket at work, at a party or charging on your nightstand, it’s no big deal.

    Of course I remember the old days when folks on here were telling R2 that the iPhone didn’t need OTA software updates, but we won’t get into that. With Apple Music and an independent iOS, I haven’t opened iTunes in years—and I’m grateful for that.

  2. I’ve been interested in home automation since attending a demo of X-10 in the mid-70’s and have used X-10 and other systems, but I have mixed feeling about HomeKit.

    For home automation to succeed, the individual items need to be affordable, therefore having the backing of a huge company like Apple creates a mass market which should bring down prices. On the other hand, if I integrate home integration into your home, those items need to remain fully functional for at least twenty years and also need to remain operational under unfortunate circumstances ( extreme weather conditions, internet or RF failures etc ). Apple has an unfortunate track record for moving on and leaving older technology behind.

    If I decide to install HomeKIt devices all around my home and then use some old iPhones or iPads as control devices, then I would want those controllers to still function for as long as they remain in working order. I wouldn’t want a future OS upgrade to obsolete those controllers or even more alarmingly to obsolete my HomeKit devices.

    Apple is taking the right approach and has put a lot of thought into the details, but I have never seen any commitment about how long they will guarantee to properly support it. I change my iPhones every 2-3 years, my iPads after 3-5 years and my Macs after 5-7 years, but once I install HomeKit devices, I expect to keep using them for the next twenty years because that’s how long I plan to stay living in my present house.

  3. Very disappointed in Apple with this. I have been saying for quite a while that I would not buy any IoT hardware because there was zero security with those items. How someone could put an IoT teddy bear in a child’s room is beyond me. Now this. The person or the team who let this issue exist should be fired. Shameful Apple.

  4. I’m intrigued by the possibilities of home automation, networked appliances, etc., but if my smart bathroom scale were to start telling my smart kitchen refrigerator to lock me out, sparks would fly. Real sparks.

  5. This is potentially a hacker’s paradise right now and will be even more as the internet of things devices have that early growth spurt. Imagine doors unlocking and locking, thermostats shifting temperature, cars going the wrong way, drones killing civilians, being locked out of the fridge.

    It will be a hacker’s delight, oh and of course for any decrepit government.

  6. Thus would be hilarious if it weren’t so serious and frightening. Thanks, Tim, you’ve done what your competitors haven’t been able to do – make Apple despised and distrusted. Your total lack of quality control has diminished Apple’s credibility. I hope you’re happy, Tim.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.