Skip to content
Thoughtful, detailed coverage of everything Apple for 34 years
and the TidBITS Content Network for Apple professionals
1 comment

Apple Releases iOS 11.2.1 and tvOS 11.2.1 to Fix HomeKit Vulnerability

After Zac Hall of 9to5Mac discovered a major HomeKit vulnerability, Apple fixed it on the server side, which had the unfortunate side effect of preventing you from granting remote access to your HomeKit devices to other users (see “HomeKit Vulnerability Discovered, Already Patched,” 8 December 2017). Now Apple has released iOS 11.2.1 and tvOS 11.2.1 to address the security flaw while continuing to allow remote access for shared users.

It makes sense that iOS and tvOS were updated together since you can use an iPad, fourth-generation Apple TV, or Apple TV 4K as a HomeKit hub for remote access.

I was curious about the exact nature of the exploit because both Apple and 9to5Mac were intentionally vague. Steve Troughton-Smith revealed on Twitter that it allowed someone to activate a scene remotely with only an email address. As I explained in “A Prairie HomeKit Companion: Core Concepts” (3 November 2016), a scene in HomeKit is like a macro in that it does several things at once, like turn on a set of lights. If you had a HomeKit-enabled lock on your front door and a scene tied to it, an attacker could have unlocked your front door from across the globe!

You can obtain the iOS 11.2.1 update, which weighs in at 60.2 MB on the iPad Pro, either in Settings > General > Software Update or via iTunes. The HomeKit vulnerability was the only one addressed in the update. Likewise, you can install tvOS 11.2.1 by going to Settings > System > Software Updates. Again, the HomeKit vulnerability was all that Apple addressed in the update. If you don’t use HomeKit, there’s no reason we can see to install these updates.

As someone who has written extensively about HomeKit in my “A Prairie HomeKit Companion” series and touted its superior security over other home automation solutions, I’m disappointed but not terribly surprised. Vulnerabilities are inevitable. The good news is that, because Apple is a responsible company, the problem was solved quickly and openly. That said, I’m still leery of securing my house with a HomeKit-enabled lock.

Subscribe today so you don’t miss any TidBITS articles!

Every week you’ll get tech tips, in-depth reviews, and insightful news analysis for discerning Apple users. For over 33 years, we’ve published professional, member-supported tech journalism that makes you smarter.

Registration confirmation will be emailed to you.

This site is protected by reCAPTCHA. The Google Privacy Policy and Terms of Service apply.

Comments About Apple Releases iOS 11.2.1 and tvOS 11.2.1 to Fix HomeKit Vulnerability