After Zac Hall of 9to5Mac discovered a major HomeKit vulnerability, Apple fixed it on the server side, which had the unfortunate side effect of preventing you from granting remote access to your HomeKit devices to other users (see “HomeKit Vulnerability Discovered, Already Patched,” 8 December 2017). Now Apple has released iOS 11.2.1 and tvOS 11.2.1 to address the security flaw while continuing to allow remote access for shared users.
It makes sense that iOS and tvOS were updated together since you can use an iPad, fourth-generation Apple TV, or Apple TV 4K as a HomeKit hub for remote access.
I was curious about the exact nature of the exploit because both Apple and 9to5Mac were intentionally vague. Steve Troughton-Smith revealed on Twitter that it allowed someone to activate a scene remotely with only an email address. As I explained in “A Prairie HomeKit Companion: Core Concepts” (3 November 2016), a scene in HomeKit is like a macro in that it does several things at once, like turn on a set of lights. If you had a HomeKit-enabled lock on your front door and a scene tied to it, an attacker could have unlocked your front door from across the globe!
You can obtain the iOS 11.2.1 update, which weighs in at 60.2 MB on the iPad Pro, either in Settings > General > Software Update or via iTunes. The HomeKit vulnerability was the only one addressed in the update. Likewise, you can install tvOS 11.2.1 by going to Settings > System > Software Updates. Again, the HomeKit vulnerability was all that Apple addressed in the update. If you don’t use HomeKit, there’s no reason we can see to install these updates.
As someone who has written extensively about HomeKit in my “A Prairie HomeKit Companion” series and touted its superior security over other home automation solutions, I’m disappointed but not terribly surprised. Vulnerabilities are inevitable. The good news is that, because Apple is a responsible company, the problem was solved quickly and openly. That said, I’m still leery of securing my house with a HomeKit-enabled lock.