HomeKit flaw in iOS 11.2 allowed remote access to smart devices, temporary fix already in ...

Posted:
in iPhone edited December 2017
Apple's software woes continued this week with the publication of a HomeKit flaw that allowed remote access to smart home devices like locks and lights. The company has since issued a temporary patch by disabling remote access to shared users, and plans to permanently plug the hole in a software update next week.




Demonstrated to 9to5Mac by an unnamed source, the HomeKit vulnerability granted unauthorized access to internet-connected devices controlled by Apple's smart home platform.

The process, which was not detailed in today's report, is said to be difficult to reproduce. However, unlike recent Apple software bugs, a HomeKit flaw presents a tangible real-world security threat to users who have smart door locks and garage door openers installed in their home.

Fortunately, Apple has implemented a temporary fix by disabling remote HomeKit access to certain users.

"The issue affecting HomeKit users running iOS 11.2 has been fixed. The fix temporarily disables remote access to shared users, which will be restored in a software update early next week," Apple said in a statement.

The report claims Apple was made aware of the vulnerability in late October, and says some issues were fixed as part of the recently released iOS 11.2 and watchOS 4.2 updates. Apple patched other holes related to the HomeKit flaw server-side, the report said.

Today's revelations come on the heels of an embarrassing week for Apple software. Last Tuesday, media outlets glommed on to a glaring macOS High Sierra flaw that provided root system administrator access without first requiring a password. Apple pushed out a quick fix, but that patch broke file sharing for some users.

Later in the week, users discovered a date bug in iOS 11.1.2 that threw some devices into a continuous soft reset loop. The issue forced Apple to release iOS 11.2 early in an overnight update on Saturday.
«1

Comments

  • Reply 1 of 31
    maybe it’s best not to install any of apple’s latest software releases for the time being until they sort out all these errors? it seems like every other day there is news about a flaw in each of their os platforms — macOS, iOS, watchOS and tvOS.
    dysamoria
  • Reply 2 of 31
    Rayz2016Rayz2016 Posts: 4,042member
    maybe it’s best not to install any of apple’s latest software releases for the time being until they sort out all these errors? it seems like every other day there is news about a flaw in each of their os platforms — macOS, iOS, watchOS and tvOS.
    Mmmm. Not really. 

    “Difficult to reproduce” sounds like it’s not something that’s going to cause a lot of problems, unlike the root thing. 

    Besides, if you don’t install the software then how’re you going to get the fixes?
    SoliRacerhomieXStrangeDaysmagman1979russw
  • Reply 3 of 31
    maybe it’s best not to install any of apple’s latest software releases for the time being until they sort out all these errors? it seems like every other day there is news about a flaw in each of their os platforms — macOS, iOS, watchOS and tvOS.
    Better go hide under a rock and never come out!
    andrewj5790focherRacerhomieXmagman1979jeff_cookrussw
  • Reply 4 of 31
    gatorguygatorguy Posts: 19,058member
    Rayz2016 said:
    maybe it’s best not to install any of apple’s latest software releases for the time being until they sort out all these errors? it seems like every other day there is news about a flaw in each of their os platforms — macOS, iOS, watchOS and tvOS.
    Mmmm. Not really. 

    “Difficult to reproduce” sounds like it’s not something that’s going to cause a lot of problems, unlike the root thing. 

    Besides, if you don’t install the software then how’re you going to get the fixes?
    Anyone who hadn't yet updated to 11.2 was unaffected anyway. Other point versions of iOS 11 are fine. 
    edited December 2017
  • Reply 5 of 31
    focherfocher Posts: 624member
    According to the 9to5 article:
    The vulnerability required at least one iPhone or iPad on iOS 11.2, the latest version of Apple’s mobile operating system, connected to the HomeKit user’s iCloud account; earlier versions of iOS were not affected.

    Is that sentence correct? Because if it is, it seems to say that the bug requires a connection to the user's iCloud account. Or is that ANY iCloud account? Big difference.
  • Reply 6 of 31
    SoliSoli Posts: 8,229member
    Rayz2016 said:
    maybe it’s best not to install any of apple’s latest software releases for the time being until they sort out all these errors? it seems like every other day there is news about a flaw in each of their os platforms — macOS, iOS, watchOS and tvOS.
    Mmmm. Not really. 

    “Difficult to reproduce” sounds like it’s not something that’s going to cause a lot of problems, unlike the root thing. 

    Besides, if you don’t install the software then how’re you going to get the fixes?
    And you're more likely to close vulnerabilities if you update than to risk publically-undocumented weak points from being an ongoing issue. As we've seen many, many times, older OSes that hardly anyone still uses get documented as having major security flaws. Hopefully no one was able to root them out while they were still widely used.
    edited December 2017 RacerhomieXmagman1979
  • Reply 7 of 31
    RacerhomieXRacerhomieX Posts: 95unconfirmed, member
    Guys, bugs like this are getting reported since it is Apple. Trust me ,there are tonnes of bugs on Android too. No one just reports on them much ,since they wont get clicks. I am just glad Apple fixes them quickly & we all get the updates. Stop making this like it is the end of the world. As code gets more complex there will ALWAYS be bugs.
    edited December 2017 lkruppsergiozdewmemagman1979racerhomiesmiffy31russw
  • Reply 8 of 31
    dysamoriadysamoria Posts: 1,776member
    gatorguy said:
    Rayz2016 said:
    maybe it’s best not to install any of apple’s latest software releases for the time being until they sort out all these errors? it seems like every other day there is news about a flaw in each of their os platforms — macOS, iOS, watchOS and tvOS.
    Mmmm. Not really. 

    “Difficult to reproduce” sounds like it’s not something that’s going to cause a lot of problems, unlike the root thing. 

    Besides, if you don’t install the software then how’re you going to get the fixes?
    Anyone who hadn't yet updated to 11.2 was unaffected anyway. Other point versions of iOS 11 are fine. 
    I love watching people say "keep your devices updated" (when it's the updates bringing all the bugs and none of the fixes), and "don't update unless there's a critical fix" and "never update a working system" and...
    magman1979cgWerks
  • Reply 9 of 31
    Guys, bugs like this are getting reported since it is Apple. Trust me ,there are tonnes of bugs on Android too. No one just reports on them much ,since they wont get clicks. I am just glad Apple fixes them quickly & we all get the updates. Stop making this like it is the end of the world. As code gets more complex there will ALWAYS be bugs.
    Agree
    RacerhomieXmagman1979smiffy31
  • Reply 10 of 31
    dysamoriadysamoria Posts: 1,776member

    Guys, bugs like this are getting reported since it is Apple. Trust me ,there are tonnes of bugs on Android too. No one just reports on them much ,since they wont get clicks. I am just glad Apple fixes them quickly & we all get the updates. Stop making this like it is the end of the world. As code gets more complex there will ALWAYS be bugs.
    Stop with the special pleading logical fallacy. It has enabled the computer industry to be the worst industry for reliability ever. Of all time. Stop excusing shitty software. You just further the problem by normalizing it.
    cgWerksbeowulfschmidt
  • Reply 11 of 31
    eightzeroeightzero Posts: 2,115member
    Useless to me.
  • Reply 12 of 31
    lkrupplkrupp Posts: 6,297member
    And as for ALL of these recent security flaws and bugs there hasn’t been a single, not one, verified report of someone (in this case) getting their front door unlocked by a burglar. There are a lot chicken little security experts running around with their hair on fire expounding on the theoretical possibilities of what may, could, might happen with stuff like this but no corroborating evidence of actual exploits. We have seen reports of bugs in Android that affect millions upon millions of Android users faced with not much hope of a patch anytime soon. Yet where are the victims? Surely there are tens of thousands of them, theoretically of course. I’m tired of so-called security experts preaching impending doom with every  software bug, glitch, flaw, hiccup. A user is much more likely to get their personal data stolen because of the Equifax hack than some flaw in iOS 11. 
    SolisergiozRacerhomieXGG1racerhomiesmiffy31
  • Reply 13 of 31
    dysamoria said:

    Guys, bugs like this are getting reported since it is Apple. Trust me ,there are tonnes of bugs on Android too. No one just reports on them much ,since they wont get clicks. I am just glad Apple fixes them quickly & we all get the updates. Stop making this like it is the end of the world. As code gets more complex there will ALWAYS be bugs.
    Stop with the special pleading logical fallacy. It has enabled the computer industry to be the worst industry for reliability ever. Of all time. Stop excusing shitty software. You just further the problem by normalizing it.
    Debugging is part of the development process, a routine discipline of software engineering and it exists since the Eniac. Cocroaches loving hot spots of analog circuits gave rise to the creation of the term “debugging”, at the beginning those were true biological bugs, now we’re dealing with metaphorical bugs. Here is a subject to you to speculate about whether that means progress or not.
    RacerhomieX
  • Reply 14 of 31
    dewmedewme Posts: 1,616member
    dysamoria said:

    Guys, bugs like this are getting reported since it is Apple. Trust me ,there are tonnes of bugs on Android too. No one just reports on them much ,since they wont get clicks. I am just glad Apple fixes them quickly & we all get the updates. Stop making this like it is the end of the world. As code gets more complex there will ALWAYS be bugs.
    Stop with the special pleading logical fallacy. It has enabled the computer industry to be the worst industry for reliability ever. Of all time. Stop excusing shitty software. You just further the problem by normalizing it.
    It's very easy to bash software reliability but I'd challenge anyone to identify another product, any product, that is even remotely similar to software in terms of technical, mathematical, algorithmic, temporal, and combinatorial complexity compared to the type of software products that Apple (and most any other large ISV) are developing today. Throw into the mix the nearly incomprehensible level of difficulty for a single human being to fully understand every line of code and executable sequence, including all exception paths, in a single software component of even medium complexity. Then you throw in multi-layered integrations of components, subsystems, services, COTS libraries, frameworks, hardware drivers, etc., and the complexity only soars. Building software that works as intended under known conditions is difficult. Building software that doesn't crap all over itself in the face of unforeseen internal or external situations and conditions that only happen once-in-a-million times (the easy to identify conditions) or much less often is tougher still, especially when you have software that has to deal with massive scale and concurrency.

    Oh, and because the only products that are worth a damn are products that are shipping and selling, software teams can't labor away indefinitely testing and refining their work until they all grow old together. It has to ship. Product owners and executive sponsors have limited patience. The pressure to ship can be very intense.

    But at least software doesn't wear-out or degrade over time and use, which are the leading causes of reliability issues with non-software products. This fact alone makes it very difficult to compare software reliability to the reliability of other products. All of software's defects are baked into it from the start and only rear their ugly heads when the right combination of enabling conditions arise. Like entering "root" with a blank password. Doh! So it's not even the software itself that's unreliable, it's the people who build the software that are unreliable. Comparing humans to machines is tough.

    I know ... nobody wants to hear that building and testing software is hard, cry cry cry, but it really is. At least for humans. Maybe that will change someday, but for as long as software is being produced by meat based entities it is going to continue to demonstrate our human infallibility, limitations, and finite cognitive abilities. However, even with meat based designers, coders, and testers software can get much better. Maybe not perfect, but better. It's the people who must change, or eventually, get out of the way.
    magman1979bonobobsmiffy31
  • Reply 15 of 31
    larryjwlarryjw Posts: 248member
    These security bugs are serious. Something tells me Apple hired newbies who need far more management than prior employees. My guess there was substantial institutional knowledge by prior developers. 
  • Reply 16 of 31
    cgWerkscgWerks Posts: 1,609member
    Hmm, maybe this is a bone being thrown to all the 3-letter-agencies in place of building in back doors to the encryption. Just let them in the front door every so often. I wonder if the iPhone is next? Like... any face of fingerprint works in the next version? Or, when the passcode comes up, you just have to hit 'cancel' and you're in?
  • Reply 17 of 31
    cgWerkscgWerks Posts: 1,609member
    As code gets more complex there will ALWAYS be bugs.
    Is the code getting more complex?

    lkrupp said:
    And as for ALL of these recent security flaws and bugs there hasn’t been a single, not one, verified report of someone (in this case) getting their front door unlocked by a burglar.
    ...
    A user is much more likely to get their personal data stolen because of the Equifax hack than some flaw in iOS 11. 
    Well, with the macOS bug, the thief could have just walked across the office, unlocked the computer they liked, grabbed the info, and locked it back up again. But, yes, as far as we know Apple has gotten quite lucky. Saying, they aren't as bad as Equifax though isn't especially reassuring. :)

    dewme said:
    It's very easy to bash software reliability but I'd challenge anyone to identify another product, any product, that is even remotely similar to software in terms of technical, mathematical, algorithmic, temporal, and combinatorial complexity compared to the type of software products that Apple (and most any other large ISV) are developing today. Throw into the mix the nearly incomprehensible level of difficulty for a single human being to fully understand every line of code and executable sequence, including all exception paths, in a single software component of even medium complexity. Then you throw in multi-layered integrations of components, subsystems, services, COTS libraries, frameworks, hardware drivers, etc., and the complexity only soars. Building software that works as intended under known conditions is difficult. Building software that doesn't crap all over itself in the face of unforeseen internal or external situations and conditions that only happen once-in-a-million times (the easy to identify conditions) or much less often is tougher still, especially when you have software that has to deal with massive scale and concurrency.
    ...
    So it's not even the software itself that's unreliable, it's the people who build the software that are unreliable. Comparing humans to machines is tough.
    And, yet, we're going to let this stuff drive thousands of pounds of vehicle around our streets?
  • Reply 18 of 31
    Rayz2016Rayz2016 Posts: 4,042member
    cgWerks said:
    Hmm, maybe this is a bone being thrown to all the 3-letter-agencies in place of building in back doors to the encryption. Just let them in the front door every so often. I wonder if the iPhone is next? Like... any face of fingerprint works in the next version? Or, when the passcode comes up, you just have to hit 'cancel' and you're in?
    Still trying to get this to take root, eh?  

    Keep trying. 
    StrangeDays
  • Reply 19 of 31
    cgWerkscgWerks Posts: 1,609member
    Rayz2016 said:
    Still trying to get this to take root, eh?  
    Keep trying. 
    Sure thing. :)
  • Reply 20 of 31
    Rayz2016Rayz2016 Posts: 4,042member

    dewme said:
    dysamoria said:

    Guys, bugs like this are getting reported since it is Apple. Trust me ,there are tonnes of bugs on Android too. No one just reports on them much ,since they wont get clicks. I am just glad Apple fixes them quickly & we all get the updates. Stop making this like it is the end of the world. As code gets more complex there will ALWAYS be bugs.
    Stop with the special pleading logical fallacy. It has enabled the computer industry to be the worst industry for reliability ever. Of all time. Stop excusing shitty software. You just further the problem by normalizing it.
    It's very easy to bash software reliability but I'd challenge anyone to identify another product, any product, that is even remotely similar to software in terms of technical, mathematical, algorithmic, temporal, and combinatorial complexity compared to the type of software products that Apple (and most any other large ISV) are developing today. Throw into the mix the nearly incomprehensible level of difficulty for a single human being to fully understand every line of code and executable sequence, including all exception paths, in a single software component of even medium complexity. Then you throw in multi-layered integrations of components, subsystems, services, COTS libraries, frameworks, hardware drivers, etc., and the complexity only soars. Building software that works as intended under known conditions is difficult. Building software that doesn't crap all over itself in the face of unforeseen internal or external situations and conditions that only happen once-in-a-million times (the easy to identify conditions) or much less often is tougher still, especially when you have software that has to deal with massive scale and concurrency.

    Oh, and because the only products that are worth a damn are products that are shipping and selling, software teams can't labor away indefinitely testing and refining their work until they all grow old together. It has to ship. Product owners and executive sponsors have limited patience. The pressure to ship can be very intense.

    But at least software doesn't wear-out or degrade over time and use, which are the leading causes of reliability issues with non-software products. This fact alone makes it very difficult to compare software reliability to the reliability of other products. All of software's defects are baked into it from the start and only rear their ugly heads when the right combination of enabling conditions arise. Like entering "root" with a blank password. Doh! So it's not even the software itself that's unreliable, it's the people who build the software that are unreliable. Comparing humans to machines is tough.

    I know ... nobody wants to hear that building and testing software is hard, cry cry cry, but it really is. At least for humans. Maybe that will change someday, but for as long as software is being produced by meat based entities it is going to continue to demonstrate our human infallibility, limitations, and finite cognitive abilities. However, even with meat based designers, coders, and testers software can get much better. Maybe not perfect, but better. It's the people who must change, or eventually, get out of the way.
    Interesting that you say that, because I was thinking much the same thing. Here’s Apple’s apology:

    ‘We greatly regret this error and we apologize to all Mac users, both for releasing with this vulnerability and for the concern it has caused. Our customers deserve better. We are auditing our development processes to help prevent this from happening again.’

    Note that they didn’t say that they would take steps to prevent this from happening again; they said that would take steps to help prevent this from happening again. They understand  (unlike many people here) that once an app gets beyond outputting “Hello World” it is pretty much guaranteed to have bugs.  When something like this happens, you do not panic and start promising stuff that can’t be done.  You look at your processes and make improvements.  For all we know the quality control process may be fine, and what Apple may decide to do is actually change the way that the code is written, opting for graceful failure rather than trying to account for every possible test scenario. 

    I used to work on aircraft flight systems, an industry where we used to generate five A4 sheets of test documentation for every line of code written. The QA manager used to stroll around the office with a large stick he called his “quality measure”. If an eye wasn’t dotted or a tee wasn’t crossed, he’d crack that stick down on your desk, pretty darn close to your fingers…

    One day, he came out of a meeting with a partner organisation, and he was as white as skimmed milk.  

    He sat down put his head in his hands and told us that the partner’s team leader had said that his team would write their part of the code and guarantee it was hundred per cent bug free.  He said up to that point he’d quite liked the guy…

    He reported what the team leader had said, and the partner was removed from the project. 



    russw
Sign In or Register to comment.