Business

Apple iOS 11.2 Update Rooted in Smart Home Flaw

Integrators should use latest Apple HomeKit vulnerability to talk about cybersecurity, service agreements to clients.

Apple iOS 11.2 Update Rooted in Smart Home Flaw
When potential IoT vulnerabilities like Apple HomeKit's "Zero Day" threat arise, it's a good time to remind clients that you can look out for their networks and help mitigate cybersecurity threats.

Jason Knott · December 15, 2017

Yet again, integrators have another powerful reason to talk about cybersecurity with their clients. The Apple iOS 11.2 update released on Dec. 14 was principally instigated by a vulnerability that allows unauthorized control of smart doorlocks, thermostats, plugs, lighting control and garage door openers via Apple HomeKit.  The new iOS 11.2 update fixes the potential hack, but for integrators this problem is yet another opportunity to talk about providing cybersecurity protection via service contracts with your customers.

Since the "Zero-Day" iOS problem was identified back in October, Apple had rolled out a temporary fix that prevented access, but also limited some of the functionality for end users trying to control their smart home features via Apple devices.

According to the website 9to5Mac, “The vulnerability allowed unauthorized control of HomeKit-connected accessories including IoT lights, thermostats, and plugs. The most serious ramification of this vulnerability prior to the fix is unauthorized remote control of smart locks and connected garage door openers.”

The website goes on to stress that the issue was not rooted in the smart home devices themselves, but in the HomeKit framework.

The flaw is another reason to reassure your clients that you are watching their system from a cybersecurity standpoint, starting at the network level.

In order for end users to be affected by the insecurity, the smart home system had to be using at least one iPhone or iPad on iOS 11.2 and be connected to the HomeKit user’s iCloud account. Apparently earlier versions of iOS were not affected.

According to Apple, speaking to the 9to5Mac website, “the issues affecting HomeKit users running iOS 11.2 has been fixed.”

What does this mean for integrators? First and foremost, you should remind your customers to update their Apple iOS ASAP  on their smart devices to close the potential hack, which could be used by thieves to simply unlock a door.  If you have a service agreement with them to handle their mobile devices and their other interfaces, you should update the software right away.

Second, the flaw is another reason to reassure your clients that you are watching their system from a cybersecurity standpoint, starting at the network level

Regarding Apple itself, when the first announced HomeKit back in 2014, CE Pro dubbed it as “underwhelming” and not much has changed to alter that viewpoint. 

Apple first launched HomeKit with connectivity to companies such as Philips, Chamberlain, Kwikset, Withings, Netatmo, Cree, iHome, Haier, Sylvania, Honeywell and others. Since then, Leviton, Lutron and many others have instituted connectivity.

Meanwhile, the timing of the HomeKit vulnerability is pretty bad for Apple, which already is falling way behind in the voice control category. The company announced the new HomePod has been delayed, missing the holiday buying season, until 2018.

One of the biggest benefits of using HomeKit is that it combines the power of Siri voice control with the smart home. But since the launch, Amazon Alexa and Google Assistant have taken the market by storm, leaving Siri more relegated to its initial uses, such as sending text messages, doing web searches and asking for directions.

The website 9to9Mac asks the provocative question as to whether or not integrators and consumers should “trust HomeKit or smart home products going forward?” The website notes that software bugs happen frequently. 



Secure Your Free Pass to CEDIA EXPO 2019

Register before Sept. 2 to gain free access to the opening keynote, product training & education series as well as the show floor including Innovation Alley and much more. Don’t miss your chance. Sign up today.




  About the Author

Jason Knott is Chief Content Officer for Emerald Expositions Connected Brands. Jason has covered low-voltage electronics as an editor since 1990, serving as editor and publisher of Security Sales & Integration. He joined CE Pro in 2000 and serves as Editor-in-Chief of that brand. He served as chairman of the Security Industry Association’s Education Committee from 2000-2004 and sat on the board of that association from 1998-2002. He is also a former board member of the Alarm Industry Research and Educational Foundation. He has been a member of the CEDIA Business Working Group since 2010. Jason graduated from the University of Southern California. Have a suggestion or a topic you want to read more about? Email Jason at jason.knott@emeraldexpo.com

Follow Jason on social media:

Jason also participates in these groups:
LinkedIn · Google+

View Jason Knott's complete profile.



  Article Topics


Control & Automation · Automation · Networking & Cables · Networking · Security · News · Apple · Cybersecurity · IoT · RMR · All Topics
CE Pro Magazine

Read More Articles Like This… With A Free Subscription

CE Pro magazine is the resource you need to keep up-to-date on the latest products, techniques, designs and business practices. Subscribe today!

Subscribe Today!

Comments

Posted by slobob on December 16, 2017

There is another side to this: The constant push of “updates” from third party venders.  Why, once user has as stable and secure system, that WORKS, do they have to constantly do updates?  If one is not changing devices or operating systems, why can’t they leave it locked down?  Update and deal with it when the user DECIDES to change something, not every week.  In my system, there is the TV os (I set it ti not auto update, but evidently that has no effect), Sonos (just changed the interface), Dish (just changed the interface), Roku, Apple TV (constantly updating)..... and NONE OF THESE were at my demand, but rather a constant stream of nuisances.  My lighting system doesn’t ask for updates, nor my control system, nor my AV Receiver…..Unless I CHOOSE to upgrade.  Why can’t stable firmwares be left alone?

Posted by slobob on December 16, 2017

There is another side to this: The constant push of “updates” from third party venders.  Why, once user has as stable and secure system, that WORKS, do they have to constantly do updates?  If one is not changing devices or operating systems, why can’t they leave it locked down?  Update and deal with it when the user DECIDES to change something, not every week.  In my system, there is the TV os (I set it ti not auto update, but evidently that has no effect), Sonos (just changed the interface), Dish (just changed the interface), Roku, Apple TV (constantly updating)..... and NONE OF THESE were at my demand, but rather a constant stream of nuisances.  My lighting system doesn’t ask for updates, nor my control system, nor my AV Receiver…..Unless I CHOOSE to upgrade.  Why can’t stable firmwares be left alone?