Opening your garage door with an Apple Watch? If you’re the one opening the door via HomeKit, that’s pretty cool. But what if a stranger can also access your home? Not so cool.
Back in October, a developer discovered that exact vulnerability in Apple’s HomeKit home automation platform, which launched with the claim that it was “designed with privacy and security from the very beginning,” requiring brand-new accessories with Apple-approved security components. After a month of frustrating attempts to get Apple to fix HomeKit’s security hole, the developer took to Medium to discuss the issue, as well as his concerns about Apple’s “ignorance on security” and dangerously slow response protocols.
Writing under the name “Khaos Tian,” the developer says that HomeKit would readily share lists of both HomeKit accessories and encryption keys over insecure sessions with Apple Watches running watchOS 4.0 or 4.1. With those formerly top secret details in hand, the attacker could act like the home’s owner, controlling every HomeKit accessory from door locks to IP cameras and light switches — whatever had been trusted to Apple’s system.
Tian says that he quickly reported the issue to Apple Product Security. But rather than fixing it, Apple engineers actually widened the security hole with the releases of iOS 11.2 and watchOS 4.2. At that point, both Apple Watches and unauthorized iOS 11.2 devices could receive the sensitive HomeKit information, broadening the array of potential attacks. Concerned about the issue, Tian attempted to follow up with Apple by emailing at the beginning,…