Apple is struggling to stop a ‘skeleton key’ hack on home Wi-Fi

“Even with all Apple’s expertise and investment in cybersecurity, there are some security problems that are so intractable the tech titan will require a whole lot more time and money to come up with a fix,” Thomas Fox-Brewster writes for Forbes. “Such an issue has been uncovered by Don A. Bailey, founder of Lab Mouse Security, who described to Forbes a hack that, whilst not catastrophic, exploits iOS devices’ trust in Internet of Things devices like connected toasters and TVs. And, as he describes the attack, it can turn Apple’s own security chip on iPhones into a kind of “skeleton key.””

“There’s one real caveat to the attack: it first requires the hacker take control of an IoT technology that’s exposed on the internet and accessible to outsiders,” Fox-Brewster writes. “But, as Bailey noted, that may not be so difficult, given the innumerable vulnerabilities that have been highlighted in IoT devices, from toasters to kettles and sex toys. Once a hacker has access to one of those broken IoT machines, they can start exploiting the trust iOS places in them.”

“That’s because of the technical workings of something known as an MFi chip – an Apple design it licenses to other manufacturers who want to connect their products with iOS devices. Bailey found iOS devices can be tricked into handing over private network keys to hacked devices that contain such chips,” Fox-Brewster writes. “If Apple is going to fix the problem, it could take years, Bailey warned. That’s because Apple would have to update not just its own tech, but also the licensed MFi chips of its partners. Bailey thinks it would mean changes to entire manufacturing processes as well as internal systems.”

Read more in the full article here.

MacDailyNews Take: Oops. This screwup perhaps helps to explain Apple’s glacial pace on HomeKit and home automation?

How Apple’s HomeKit broke my digital heart – April 3, 2018
Apple’s HomeKit security screwup spotlights the risk of smart homes – December 8, 2017
Zero-day iOS HomeKit flaw allowed remote access to IoT devices including door locks, garage door openers; fix rolling out – December 8, 2017
Apple delays HomeKit launch until autumn – May 14, 2015


    1. Eddy may be clueless but it’s clear that Apple has lost control of the important things. Instead they blow money on cars and executive bonuses. The security advantage that Apple used to represent is rapidly dissipating. The best security you are going to have is personal control and ability to run offline. Apple’s focus on pushing the Big Brother always-connected iOS is never going to be rock solid in security. macOS, if Apple bothered to put effort into it, could be. Because it put the user in control.

  1. Makes me wonder why do we “need” IoT?

    It has always looked like to me that IoT devices are just an excuse to finagle users into buying more devices, which I object to.

    We are having a nice quiet dinner at a friends place chatting away and our host suddenly yells at Alexa. But Alexa doesn’t respond right so he keeps yelling out more commands … Total waste!

    1. I concur
      I use lifx lights … and we control them through homepod… i totally undertand the screeming battles u mentioned… specially if tv or another sound source is on…

      After about a couple of weeks the novelty wore off … And i went back to using the wall switchs, not all but most of the time.

    2. Agreed that IoT is not ‘needed’ for many things in the home. However if Apple’s competitors continue to advance on the tech while Apple declines to ‘join in’ Apple may be seen as a laggard in the field. The luxury brand image Apple maintains now will definitely take a hit.

    1. But Apple won’t. Apple won’t take responsibility for IoT products with security holes. It will do the Ford Pinto calculation: costs too much to make it right, so we’ll let the user take all the risk.

      All the salesmen selling always-connected internet devices, which includes almost all of Apple’s new iOS & derivative products since 2007, NEVER guarantee your privacy or security. Buyer beware.

  2. Sure let me just believe any thing I read. The article is printed. So it must be true. A smart person said it. It must be true. I commented on it. It must be true.

  3. First of all this is an article from Forbes based on Forbes based on a claim by “…Don A. Bailey, founder of Lab Mouse Security.” I know that Forbes often screws up in its reporting on technology. And I have never heard of “Lab Mouse Security.”

    That does not mean that the article or claim is inaccurate, but I would recommend waiting for credible confirmation before jumping on the “Apple screwup” bandwagon. Where is the old healthy skepticism until the allegations are proven?

    Second, let’s say that Apple actually screwed up and left some sort of vulnerability in its MFi chip. It is worth noting that it took years for someone to find it (if the flaw actually exists). Additionally, the exploit path and severity remains unclear. We just have Mr. Bailey’s speculation on the subject. Furthermore, you appear to be blindly accepting Mr. Bailey’s assertions regarding the steps that Apple would need to take to address the alleged flaw and the time and effort involved.

    No one ever claimed that Apple is perfect. But the company has been attacked with blatant FUD more times than I care to count. So, I always take reports like this with a grain of salt and wait for additional analysis from other independent sources. The MDN staff *used* to do the same thing.

  4. I was personally hacked… or so I believe. I have yet to hear back from apple, they requested a bunch of information from me, but on July 17th at 4:00 am mountain daylight time, my HomeKit devices were apparently getting commands from someone not in my house, and not an approved user of my HomeKit devices. I checked all the devices logged into my apple account, all of those were mine, and the only devices allowed are mine or my wife’s, yet my HomeKit devices were being controlled from somebody else… Anyhow, I have door locks that are HomeKit, and this scares me that there is a security hole like this.

  5. i was hacked on April 16th and have yet to get apple to acknowledge any connection to my continuing issues. all my devices, my navigation system in my Lexus gx460 and even the phones (apple and android) and devices of several friends (since i wasn’t fully aware of its power to infiltrate) are also affected. no one has an answer nor a resolution. i no longer have wifi cable a laptop etc.. in my home and the entire ordeal has caused me great mental and emotional (surely financial) harm and loss.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.