Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zero-Day iOS HomeKit Vulnerability Allowed Remote Access To Smart Accessories Including Locks (9to5mac.com)

Posted by BeauHD on from the connected-home dept.

Apple has issued a fix to a vulnerability that allowed unauthorized control of accessories, including smart locks and garage door openers. "Our understanding is Apple has rolled out a server-side fix that now prevents unauthorized access from occurring while limiting some functionality, and an update to iOS 11.2 coming next week will restore that full functionality," reports 9to5Mac. From the report: The vulnerability, which we won't describe in detail and was difficult to reproduce, allowed unauthorized control of HomeKit-connected accessories including smart lights, thermostats, and plugs. The most serious ramification of this vulnerability prior to the fix is unauthorized remote control of smart locks and connected garage door openers, the former of which was demonstrated to 9to5Mac. The issue was not with smart home products individually but instead with the HomeKit framework itself that connects products from various companies. The vulnerability required at least one iPhone or iPad on iOS 11.2, the latest version of Apple's mobile operating system, connected to the HomeKit user's iCloud account; earlier versions of iOS were not affected.

39 comments

  1. smart by Neuronwelder · · Score: 4, Insightful

    Why do they use the word "smart" when using the public Web to control a private home?

    1. Re:smart by Anonymous Coward · · Score: 0

      $5 wrench test, most homes can be broken into with 5 seconds and a $5 wrench... Security really isn't that big a deal. If it is, don't buy this shit and secure your windows and doors at minimum.

    2. Re:smart by Anonymous Coward · · Score: 0

      it's a "smart move" for the manufacturers to produce and sell... because dumb consumers buy this overpriced shit. has absolutely nothing to do with the products themselves being 'smart'.

      21st century rule of thumb. if a product has 'smart' in the name. the 'smart' thing to do is not to buy it.

    3. Re:smart by gravewax · · Score: 1

      Any company that can convince people to put the control of their lives into the hands of the public has to be pretty fucking smart, at least smarter than the actual purchaser.

    4. Re:smart by ls671 · · Score: 1

      Thanks, I couldn't believe my understanding of TFS but you seem to confirm it was correct.

      --
      Everything I write is lies, read between the lines.
    5. Re:smart by TheRaven64 · · Score: 1
      It's not just about security, it's about visibility. The easiest way to break into my house is to throw a brick through the window. The problem with doing that, as a burglar, is that the lawful owner of the house would probably not do that and so it's likely that someone else would call the police. It also leaves evidence of unlawful entry, so even if no one sees you throw the brick, someone might notice the big hole in the window and report it.

      A better thief might buy a set of lockpicks, learn how to pick the locks, and then do that. I have a fairly good lock, so it would probably take about a few minutes to pick. If someone is kneeling in front of my door poking at the lock, then there's a reasonable chance that my neighbours would notice. Even if they didn't call the police, they'd probably remember what the person looked like and be able to give their description to the police. If you rob a few houses, then the chance of being caught increases a lot.

      Now, imagine that you have an app that you bought from a criminal site that will identify 'smart' appliances in homes that you walk past, let you know the ones that have appliances in modes that indicate that they're unoccupied and will unlock the doors as you walk up to them. You can simply walk around a neighbourhood and walk into an unoccupied house, have a look around, and if it looks like there's stuff worth stealing then call a friend with a van. If anyone accosts you before your friend with the van turns up, then you tell them that the front door was open and you thought that someone might have broken in and were checking before you called the police.

      --
      I am TheRaven on Soylent News
    6. Re:smart by Neuronwelder · · Score: 2

      To add to what you said: What to prevent the video from being interrupted and not seeing the person breaking into a house?

    7. Re:smart by Neuronwelder · · Score: 1

      Thank you. They can sell you manure if they package it right. Just put a flashy commercial on the TV.

    8. Re:smart by Anonymous Coward · · Score: 0

      Wasn't it the creators of Cards Against Humanity that did exactly that on Black Friday 2016? They didn't even need a TV commercial.

  2. Reported in October by Anonymous Coward · · Score: 1

    According to the article, Apple was informed of the vulnerability in October and won't be releasing a patch until next week. The patch is only coming out that "soon" because 9to5Mac is reporting on it, much like the "empty password for root" bug was reported to them weeks ago but only fixed when it went "viral" on Twitter.

    It's clear that Apple is taking Microsoft's stance of security from the 90s: they don't care about it.

    1. Re:Reported in October by Hal_Porter · · Score: 3, Informative

      Apple have never really taken security seriously. Remember how when iPhones came out Apple fans claimed Apple was more secure and also that the iPhone being locked down wasn't a problem because you could jailbreak it by visiting a site with a malformed TIFF?

      This was in 2007, five years after Microsoft's focus on security initiative.

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    2. Re:Reported in October by Anonymous Coward · · Score: 1

      hal porter doesn't even take the history of company security seriously. He just dislikes apple, given his comment history anyone can see that. The truth is few take security at all seriously.

    3. Re:Reported in October by Anonymous Coward · · Score: 0

      Doesn't make him wrong. Apple security is a joke. They didn't notice that you could log in as root with no password, and then ignored it when it was pointed out to them until they were being mocked all over Twitter for it. It took a tweet for them to realize that letting anyone log in as root with no password was probably a security flaw.

    4. Re: Reported in October by Hal_Porter · · Score: 1

      My main laptop is a Mid 2012 Macbook Pro these days. I like it and would have upgraded it if it weren't for soldered Ram and SSD in the newer models.

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    5. Re:Reported in October by ls671 · · Score: 1

      Apple have never really taken security seriously...

      I am not trying to defend apple here since there is no excuse but seriously, very few people take security seriously nowadays even where one would expect people in charge of a given organization to do so.

      I remember a default value for an organization field being "not_organized" somewhere, I think it was in certificate requests but I am not sure ;-)

      In a technologically advanced society, maybe IT security topic knowledge should be made mandatory before going to high school.

      --
      Everything I write is lies, read between the lines.
    6. Re:Reported in October by Anonymous Coward · · Score: 0

      Remember how when iPhones came out Apple fans claimed Apple was more secure

      We still do. More secure? It's a low bar.

    7. Re:Reported in October by TheRaven64 · · Score: 1

      Remember how when iPhones came out Apple fans claimed Apple was more secure and also that the iPhone being locked down wasn't a problem because you could jailbreak it by visiting a site with a malformed TIFF

      And almost 10 years after that, Android phones were shipping with a vulnerability in the media framework, which ran in a separate process with root privilege (WTF?!?) that allowed any web site to run malicious code as root and then compromise the kernel. And it took over six months between the vulnerability being made public (and even given the buzzwordy name StageFright) and more than 50% of Android phones being patched, in spite of the Android developers having the experience of the iOS vulnerability to learn from. In the same time, iOS split various core services into over a hundred different processes that all run with minimal privilege.

      Apple security is still close to the best in the business, but that's a pretty low standard.

      --
      I am TheRaven on Soylent News
    8. Re:Reported in October by Anonymous Coward · · Score: 0


      Remember how when iPhones came out Apple fans claimed Apple was more secure

      I don't see the Feds taking Google to court to unlock Android phones, yet Android is the majority of phones out there.

    9. Re: Reported in October by Anonymous Coward · · Score: 0

      Ha, same exact laptop, same exact issues with Apple, go figure, guess that makes two of us.

    10. Re:Reported in October by tlhIngan · · Score: 1

      According to the article, Apple was informed of the vulnerability in October and won't be releasing a patch until next week. The patch is only coming out that "soon" because 9to5Mac is reporting on it, much like the "empty password for root" bug was reported to them weeks ago but only fixed when it went "viral" on Twitter.

      Only if you want to misreport it as "a patch to fix it".

      No, it's fixed already. You cannot exploit this. The fixes were applied all over the place - a lot of patches were applied to Apple's servers themselves to prevent its exploitation, and another patch was given earlier that disabled the function that was being exploited. (Defense in depth - it requires a series of things to work out, and Apple went and fixed every one). They applied patches from October through November - most of them on Apple's side, but one final one on iOS that disabled the vulnerable feature that allowed it to happen in the first place.

      The patch next week re-enables the vulnerable feature in a more secure way.

      That's why the vulnerability was revealed - it was no longer exploitable at all. And likely, Apple kept breaking the reproduction when they patched Siri and HomeKit on their end.

      But hey, if you want to go around trying to exploit it, go right ahead.

  3. The fact that Zero Days in the Home are a thing by Anonymous Coward · · Score: 1

    Is damn good reason enough to NOT use these things in your home, unless your family safety means jack shit.

    1. Re:The fact that Zero Days in the Home are a thing by ls671 · · Score: 1

      No, no, it is a very good technology when you know what you are doing. Contact me offline for further requests,
      I run an hyper-Z omega secretive cloud that will take care of all your security needs, 100% hacker proof, guaranteed! We are also fully compatible with all the Apple apps!

      --
      Everything I write is lies, read between the lines.
    2. Re:The fact that Zero Days in the Home are a thing by JustAnotherOldGuy · · Score: 1

      I run an hyper-Z omega secretive cloud that will take care of all your security needs, 100% hacker proof, guaranteed!

      Can I upgrade to the 120% hacker-proof version for an extra $100??

      --
      Just cruising through this digital world at 33 1/3 rpm...
  4. Remember this, fans of Amazon.com's eHomeRobbery by jbn-o · · Score: 1

    Those who were defending amazon.com's hardware+service to allow amazon.com to deliver items inside your home should remember this: software you don't exclusively control, can't vet, and aren't allowed to inspect, fix, or share (thus your willingness to do these things is moot) means you're not just trusting an unknowable number of people to open your door and do stuff in your home while everyone is away. Your home security and your privacy is also subject to security problems anywhere in the amazon.com system; people could come in and do stuff to your home without looking like they're breaking in (even though they are). It's unwise to create circumstances for a break-in that are indistinguishable from you letting them in.

    --
    Digital Citizen
  5. apple security LOL by Anonymous Coward · · Score: 0

    what a joke.

  6. Re:Remember this, fans of Amazon.com's eHomeRobber by TheRaven64 · · Score: 2

    Not being able to vet it doesn't mean much. I doubt that there are 100 people in the world who can audit software of this complexity and be confident that it is free from security bugs. For anyone else, it should be assumed to be insecure whether you have the code or not.

    --
    I am TheRaven on Soylent News
  7. smart locks = dumb idea by Anonymous Coward · · Score: 0

    A smart person doesn't expose the control system for their home locks to the Internet. Smart locks = dumb idea.

    1. Re:smart locks = dumb idea by Anonymous Coward · · Score: 0

      Agree 100%. Anything connected to the web is (by default) a possible secure problem.

      While I can see the usefulness of a smartphone being your key, I see a problem with a lock being connected to the web. A Bluetooth only connection, where the user has to be next to the door may be OK ... but then again, the signal sent can be captured and duplicated in another device.

  8. root by crimson+tsunami · · Score: 2

    Do you just walk up to the front door and say you are Root?
    Or is there a handle you have to hold wrong first?

    1. Re:root by Anonymous Coward · · Score: 0

      Do you just walk up to the front door and say you are Root?

      Recommended method is 'sudo open frontdoor'

  9. Re:Remember this, fans of Amazon.com's eHomeRobber by Anonymous Coward · · Score: 0

    Not being able to vet it doesn't mean much. I doubt that there are 100 people in the world who can audit software of this complexity and be confident that it is free from security bugs.

    Bollocks. Even if there was only one such person able and willing to do it, it would help everyone else as long as they published their results.

  10. Shocking by JustAnotherOldGuy · · Score: 1

    IoT shit is insecure? Nooooooooo!

    Shocking, I say! For further proof, this is my shocked face.

    --
    Just cruising through this digital world at 33 1/3 rpm...
    1. Re: Shocking by Anonymous Coward · · Score: 0

      If that shocks you, try not to gasp when you see what Dogs wife looks like now. ;)

  11. Microsoft version no better by crimson+tsunami · · Score: 1

    You walk up to the front door and it tells you your house is updating to creators edition. You have to wait outside in the snow a few hours before you can go inside.

  12. Re:Remember this, fans of Amazon.com's eHomeRobber by TheRaven64 · · Score: 1

    Okay, please point to one single piece of off-the-shelf software that anyone has audited well enough to stand up in public and assert that it is bug free. The closest I can think of is seL4, which was not just published, it was written with formal verification in mind: if you just had the C sources for it (and not the accompanying proofs) then verification would be a many man-year project. Oh, and it was less than a day between the public release of seL4 and the first security vulnerability being found.

    Publication of source makes it easier to determine that a product contains flaws, but for anything more than a thousand lines of code that can pretty much be taken as given. It does have other benefits, most notably that third parties can fix it, but being able to vet it will at best let you say 'yup, this thing that I'd previously assumed to be insecure crap turns out to be insecure crap'.

    --
    I am TheRaven on Soylent News
  13. Re:Remember this, fans of Amazon.com's eHomeRobber by tlhIngan · · Score: 1

    Those who were defending amazon.com's hardware+service to allow amazon.com to deliver items inside your home should remember this: software you don't exclusively control, can't vet, and aren't allowed to inspect, fix, or share (thus your willingness to do these things is moot) means you're not just trusting an unknowable number of people to open your door and do stuff in your home while everyone is away. Your home security and your privacy is also subject to security problems anywhere in the amazon.com system; people could come in and do stuff to your home without looking like they're breaking in (even though they are). It's unwise to create circumstances for a break-in that are indistinguishable from you letting them in.

    Funny thing about that. Amazon's requirements for getting something to work with Alexa are far more lax - think any piece of IoT thing out there today can get Alexa certification. All Amazon wants is to slap a sticker on your product.

    HomeKit certification is much harder - devices have to be shown to be secure before Apple will license it out.

    Apple concentrates on security, privacy and ease of use, and in fact, if you don't need outside of home control, HomeKit can work offline. It doesn't require internet access (unless you want to control it outside the house) to do anything. Only remote operations require the cloud.

  14. Re:Remember this, fans of Amazon.com's eHomeRobber by tlhIngan · · Score: 1

    Here's more information on HomeKit versus Alexa.

    https://www.reuters.com/articl...