Apple’s software woes continued this week with the publication of a HomeKit flaw that allowed remote access to smart home devices like locks and lights. The company has since issued a temporary patch by disabling remote access to shared users, and plans to permanently plug the hole in a software update next week.
Demonstrated to 9to5Mac by an unnamed source, the HomeKit vulnerability granted unauthorized access to internet-connected devices controlled by Apple’s smart home platform.
The process, which was not detailed in today’s report, is said to be difficult to reproduce. However, unlike recent Apple software bugs, a HomeKit flaw presents a tangible real-world security threat to users who have smart door locks and garage door openers installed in their home.
Fortunately, Apple has implemented a temporary fix by disabling remote HomeKit access to certain users.
“The issue affecting HomeKit users running iOS 11.2 has been fixed. The fix temporarily disables remote access to shared users, which will be restored in a software update early next week,” Apple said in a statement.
The report claims Apple was made aware of the vulnerability in late October, and says some issues were fixed as part of the recently released iOS 11.2 and watchOS 4.2 updates. Apple patched other holes related to the HomeKit flaw server-side, the report said.
Today’s revelations come on the heels of an embarrassing week for Apple software. Last Tuesday, media outlets glommed on to a glaring macOS High Sierra flaw that provided root system administrator access without first requiring a password. Apple pushed out a quick fix, but that patch broke file sharing for some users.
Later in the week, users discovered a date bug in iOS 11.1.2 that threw some devices into a continuous soft reset loop. The issue forced Apple to release iOS 11.2 early in an overnight update on Saturday.