The developer who discovered a huge vulnerability in HomeKit, which allowed anyone unauthorized control of someone else’s devices, has explained how it worked. He has also expressed frustration at Apple’s failure to properly fix the bug until 9to5Mac intervened.
Khaos Tian handled his discovery responsibly, by reporting it to Apple on the day he discovered it, October 28. But he says the issue remained live throughout November, and the next iOS release actually made things worse …
Those message mishandling issues were discovered back in late October, and was disclosed to Apple’s product security team the next day I found it (Oct 28). I got ONE email (on October 30) from Apple’s product security team saying they are investigating it through the entire November. During that time, I sent multiple emails (Oct 31, Nov 2, and Nov 16. Additionally there was one sent to Federighi on Nov 27.) to try to ensure the engineering team understood the issue but no reply at all. I observed that Apple deployed the watchOS server fix so I assumed they just being typical Apple not replying people (hello radar 🙃), so I thought the engineering team should have sufficient understanding of the issue and hoped they properly fixed the issue with iOS 11.2. But then iOS 11.2 officially released, while they did fix some issues in my report, they didn’t do a full security audit to ensure all messages are being handled properly, and instead they introduced a new message which makes the whole attack a lot easier.
The vulnerability comprised two issues, he explains. First, while it should be impossible for anyone to discover the unique identifiers for a HomeKit device, two separate bugs meant that it was possible for someone to figure it out – without any authorization to access the home.
Second, when a non-authorized person sent a command to a HomeKit device, HomeKit didn’t do anything to verify the sender, it simply allowed the command through. The issue was particularly worrisome given that it allowed full control of smart locks.
The technical explanation is quite lengthy, and you can read it in the Medium post. But the bigger issue, he says, is that Apple was aware of the issue for well over a month without fixing it. It was only when 9to5Mac took it up with Apple PR that it got prioritized.
I ended up reaching out to friend at 9to5mac and turned out Apple PR channel is much more responsive than product security. From them reaching out to Apple PR to Apple coming up with a temporary fix all happened with 48 hours. No wonder nowadays people just throw security issues on Twitter right? What a world we live in.
Neither Tian nor 9to5Mac publicly disclosed the existence of the vulnerability until it had been patched by Apple. That server-side patch limited some functionality until a full fix was rolled out in iOS 11.2.1. Tian notes that, even after the fix, he has removed some specifics at the request of Apple’s product security team.