Apple says it has issued a fix for an iOS security flaw that left key connected home hardware open to unauthorized third-party access. The bug, which was initially spotted by 9to5Mac, reportedly made it possible for an outside party to access things like smart locks and garage doors.
The company has since confirmed with TechCrunch the existence of the bug. “The issue affecting HomeKit users running iOS 11.2 has been fixed,” an Apple spokesperson said in a statement. “The fix temporarily disables remote access to shared users, which will be restored in a software update early next week.”
The fix appears to be a server-side update, meaning that the end-user doesn’t have to update anything for it to take effect. For the time being, it also means that users with 11.2 won’t have all of the standard remote HomeKit functionality, until Apple rolls out something more permanent next week. Getting that functionality back will require updating to the latest version of iOS.
The initial report doesn’t detail the specifics of the exploit in its post, only noting that, “The vulnerability required at least one iPhone or iPad on iOS 11.2, the latest version of Apple’s mobile operating system, connected to the HomeKit user’s iCloud account.” It appears to be a difficult one to replicate and doesn’t impact earlier builds of the operating system. But it may highlight concerns around smart home functionality as users connect more pieces of their home to an ecosystem like HomeKit, Assistant or Alexa.
Bugs are part of any software solution, and Apple’s rushed to fix a couple of prominent ones on macOS and iOS in recent weeks. Like those, the company’s patched things up here with, hopefully, minimal inconvenience to the end user. But as always, it’s important to make a cost-benefit analysis of a connected home offering to decide if it’s the right fit.