Apple iOS 11.2 Update Rooted in Smart Home Flaw

Integrators should use latest Apple HomeKit vulnerability to talk about cybersecurity, service agreements to clients.


Yet again, integrators have another powerful reason to talk about cybersecurity with their clients. The Apple iOS 11.2 update released on Dec. 14 was principally instigated by a vulnerability that allows unauthorized control of smart doorlocks, thermostats, plugs, lighting control and garage door openers via Apple HomeKit.  The new iOS 11.2 update fixes the potential hack, but for integrators this problem is yet another opportunity to talk about providing cybersecurity protection via service contracts with your customers.

Since the “Zero-Day” iOS problem was identified back in October, Apple had rolled out a temporary fix that prevented access, but also limited some of the functionality for end users trying to control their smart home features via Apple devices.

According to the website 9to5Mac, “The vulnerability allowed unauthorized control of HomeKit-connected accessories including IoT lights, thermostats, and plugs. The most serious ramification of this vulnerability prior to the fix is unauthorized remote control of smart locks and connected garage door openers.”

The website goes on to stress that the issue was not rooted in the smart home devices themselves, but in the HomeKit framework.

The flaw is another reason to reassure your clients that you are watching their system from a cybersecurity standpoint, starting at the network level.

In order for end users to be affected by the insecurity, the smart home system had to be using at least one iPhone or iPad on iOS 11.2 and be connected to the HomeKit user’s iCloud account. Apparently earlier versions of iOS were not affected.

According to Apple, speaking to the 9to5Mac website, “the issues affecting HomeKit users running iOS 11.2 has been fixed.”

What does this mean for integrators? First and foremost, you should remind your customers to update their Apple iOS ASAP  on their smart devices to close the potential hack, which could be used by thieves to simply unlock a door.  If you have a service agreement with them to handle their mobile devices and their other interfaces, you should update the software right away.

Second, the flaw is another reason to reassure your clients that you are watching their system from a cybersecurity standpoint, starting at the network level

Regarding Apple itself, when the first announced HomeKit back in 2014, CE Pro dubbed it as “underwhelming” and not much has changed to alter that viewpoint. 

Apple first launched HomeKit with connectivity to companies such as Philips, Chamberlain, Kwikset, Withings, Netatmo, Cree, iHome, Haier, Sylvania, Honeywell and others. Since then, Leviton, Lutron and many others have instituted connectivity.

Meanwhile, the timing of the HomeKit vulnerability is pretty bad for Apple, which already is falling way behind in the voice control category. The company announced the new HomePod has been delayed, missing the holiday buying season, until 2018.

One of the biggest benefits of using HomeKit is that it combines the power of Siri voice control with the smart home. But since the launch, Amazon Alexa and Google Assistant have taken the market by storm, leaving Siri more relegated to its initial uses, such as sending text messages, doing web searches and asking for directions.

The website 9to9Mac asks the provocative question as to whether or not integrators and consumers should “trust HomeKit or smart home products going forward?” The website notes that software bugs happen frequently.