A zero-day security vulnerability discovered in Apple’s HomeKit app in the current version of iOS 11.2 would allow attackers to gain unauthorized control of Internet of Things devices connected via the application, 9to5Mac reported .
The vulnerability, which Apple has released a fix for that is being made available to users, allowed an unauthorized party to hijack devices that were linked to Apple’s smart home hub. That would allow the attacker to unlock doors, control smart lights, adjust thermostats and other appliances that may have been connected by the user.
The unauthorized access suggests a significant security vulnerability that was allowed to slip through the cracks by Apple’s development team. A zero-day vulnerability refers to a flaw in a piece of software that was unknown to the developer at the time the software was shipped.
The vulnerability affects iPhones and iPads running iOS 11.2, the latest version of Apple’s mobile operating system, and users who have connected the HomeKit application to their iCloud account. Earlier versions of iOS are not affected by the bug.
Details on how the vulnerability can be exploited were not released as the bug is still potentially exploitable. It’s worth noting that the issue is not related to any individual smart home products but to Apple’s HomeKit, meaning any devices connected through the application are at risk. Apple has acknowledged the issue and started rolling out an update to fix the problem.
“The issue affecting HomeKit users running iOS 11.2 has been fixed,” Apple said in a statement . “The fix temporarily disables remote access to shared users, which will be restored in a software update early next week.”
That fix will not require any user action; it is being applied server-side—though it may result in some functionality issues for users. An update to iOS expected to be released next week should offer a permanent fix that will solve the issue in full.
Troublingly, the issue discovered in iOS 11.2 is believed to have been known by Apple since October, when security researchers reportedly informed the company of the vulnerabilities. While some of the issues related to the remote access flaw were addressed in iOS 11.2 and watchOS 4.2, enough of the issue remained to allow an attacker to gain remote access to connected smart home devices and appliances through HomeKit.
The existence of the vulnerability isn’t necessarily damning for HomeKit as a product, but it does raise questions for users as to how much they should trust to the application. If an attacker can unlock their home through the app or do damage by adjusting thermostats or turning on appliances, users may have second thoughts about connecting those devices.
The issue is just the latest in a string of significant problems for Apple. A Wi-Fi security issue was discovered in iOS 11.1 last month. Apple has also had issues with its MacOS operating system, which came under fire after a bug was discovered that allowed anyone to gain access to a machine running the operating system without requiring a password.