Apple’s HomeKit security blunder exposes the risk of smart homes

Credit to Author: Jonny Evans| Date: Fri, 08 Dec 2017 06:42:00 -0800

The expression “safe as houses” will become a thing of the past if tech firms don’t get connected home security right, and the need to be incredibly watchful was visible in Apple’s latest security blunder this week.

The latest iOS 11.2 update held a zero-day vulnerability attackers could exploit to control smart home devices, including connected locks, 9to5Mac explains. While the vulnerability was difficult to exploit, and Apple has acted very swiftly to close this security gap, its existence exposes the risk of smart homes.

Apple’s swift response is two-fold:

To address a problem like this fast is exactly what must be demanded from any smart home solution manufacturer – nothing less is acceptable. Smart locks must really be locks, and not subject to being undone by opportunistic hackers with time on their hands.

There is a real risk: the industry remains fragmented, not every smart device is truly smart, and some of those early to market solutions have been shown to use poor internal password protection, including the capacity to use these as entry points into home networks.

While others rushed to market with smart home systems, Apple realised the need to ensure security protection in its smart home technologies early on. Its response was to develop HomeKit as a platform for smart home devices on iOS, but to ensure those solutions compatible with HomeKit meet certain criteria, including use of approved technologies.

The strength of that approach is – oddly enough – proven by Apple’s response to this latest vulnerability. You see, Apple was able to address a platform-wide problem by making a temporary fix to its own HomeKit servers.

That’s important in two ways – it means the company can respond swiftly to smart home security problems as they transpire. Another reason that matters is because it means those wanting to break these protections will need to figure out how to exploit those very same HomeKit servers, which I think will be much harder to achieve than undermining an individual iOS user’s security.

The challenge for those investing in smart home kit remains. Garage doors, door locks, connected security systems – all that connected convenience also implies additional risk.

The biggest risk is that anyone who can gain control of your iOS device can also then seize control of your connected home.

It is not enough to rely on Apple to secure your smart home – you also need to ensure you are thinking security as you deploy smart home devices. You must avoid systems that offer poor future software update paths, use poor security protocols and so forth.

You should also take every possible step to ensure those devices you do deploy are tested and approved for HomeKit, as despite this recent flaw I think it remains the most secure smart home platform.

It also means taking every possible step to secure your iOS device.

When “1,2,3,4” and the word “password” remain two of the world’s most frequently used passwords there’s a potential problem.

After all, if you use one of those passwords to protect your iPhone, and someone gets hold of that phone and takes control of it, then you might as well also hand them your front door keys, wallet and every piece of personal information you own. And everyone you know.

What I’m arguing is that while we must demand high levels of security from vendors in this space, the biggest security problem remains the same one it has always been — the end user.

That’s a scenario that’s only going to become more important in the months and years to come, as even hotel chains develop smart connected room technologies.

If you’re smart, you’ll secure yourself before you deploy a smart home.

Google+? If you use social media and happen to be a Google+ user, why not join AppleHolic’s Kool Aid Corner community and get involved with the conversation as we pursue the spirit of the New Model Apple?

Got a story? Please drop me a line via Twitter and let me know. I’d like it if you chose to follow me there so I can let you know about new articles I publish and reports I find.

http://www.computerworld.com/category/security/index.rss