Under the name “Khaos Tian”, the developer writes on Medium that HomeKit was sharing data on HomeKit accessories and encryption keys over insecure sessions with Apple Watches running watchOS 4.0 or 4.1, which essentially gave control of every HomeKit accessory (locks, cameras, lights) to any unscrupulous Apple Watch wearer. Tian says he reported the issue to Apple Product Security, which somehow made the situation worse by widening the flaw so unauthorized iOS 11.2 devices could also receive the sensitive data. Basically, they went from leaving the keys in the front door, to leaving the front door wide open.
Despite repeatedly emailing Apple throughout November, Tian had no success in getting a response from the company, so resorted to contacting Apple site 9to5Mac, which contacted Apple’s PR team on Tian’s behalf. Worryingly, but perhaps not unsurprisingly, Tian writes that Apple PR were “much more responsive” than the Apple Product Security team. On December 13 — some six weeks after Tian first flagged the vulnerability — Apple remedied the issue with iOS 11.2.1.
HomeKit is sold on the bold claim that you can entirely trust your home to Apple. More so than any other company, in fact, since the system requires users to purchase “extra-secure” Apple-approved components. But as Tian writes, “be vigilant when someone make[s] the promise that something is secure”, because as Apple demonstrates, it’s not too difficult to cause “a complete security breakdown of the entire system”. Apple has been contacted for comment.