Comment: iOS HomeKit bug exposed smart locks to unauthorized access

News broke that a HomeKit vulnerability in the current version of iOS 11.2 has been found that allows unauthorized control of accessories including smart locks and garage door openers.The implications of the vulnerability are worrying, with the obvious concern being the ability for attackers to gain access to someone’s house without a physical key. 

Jeff Tang, Senior Security Researcher at Cylance:

“The rush to make every home device smart turns out to be a stupid decision as we learn about more and more vulnerabilities in IoT devices.

“Something that I haven’t seen discussed much is the fact that smart locks are popular among short term home rentals such as Airbnb. The owners of these homes would be especially vulnerable as they invite random strangers off the Internet to stay at their homes, potentially unsupervised with physical access to the IoT devices and networking equipment. The crux of these issues stem from an error in permission handling. Guests that are granted low privilege access (e.g. unlock door) end up being able to elevate their privileges (e.g. grant other users the ability to unlock door).

“In this case, the fix is easily deployed as a server side update so users don’t have to do anything to remain secure. I think most people would be surprised to learn their physical door locks are simple 4 or 5 pin and tumbler locks that are easily picked by a novice in a few minutes. There isn’t much of a security loss here, relatively speaking.

“As it stands right now, there’s no liability for companies building insecure devices so we’ll continue to see the market flooded with cheap “smart” devices. Owners need to be vigilant in monitoring for device updates if they choose to deploy these in their own homes.”