Apple’s HomeKit Security vs. ioT Botnets – There’s Only So Much Apple Can Do

| Analysis

The recent botnet attacks have called into question the security of all our various internet of Things (ioT) devices, and rightfully so. Those attacks happened because people like you and me had routers, webcams and other gizmos in our homes that were not properly secured. Some of those security issues are fixable by general users, but many are not.

The majority of the devices that were involved in the DDoS attack on Dyn, for example, were compromised using a security hole that came from one of the device’s chipset vendors. This was something that most users wouldn’t be able to change even if they knew to try.

We Have a Problem. Is HomeKit the Solution?

Botnets vs. Privacy and HomeKitA lot of discussion has centered around solving this problem going forward. Indeed, the botnet that attacked Dyn is still very much alive, functional and, in many ways, unstoppable. One of the regular chimes I hear in our Apple-centric universe is, “HomeKit is secure, it must be the answer.”

HomeKit is secure. The transmissions between your iPhone and HomeKit-enabled devices are encrypted using some of the best security that exists. Problem is, HomeKit might not be the only way to access those devices. Indeed, it’s rare that a Wi-Fi-based smart home device is built to use only HomeKit. Most devices support HomeKit amongst a sea of other access options, often including a self-branded application or web service from the device manufacturer.

HomeKit is the most secure of any of the methods we’ve seen, which therefore means all these other methods are less secure and potentially easier to hack. In addition to that, there are the aforementioned security holes that can exist in the devices’ chipsets themselves, having nothing to do with the stated purpose of the device.

Plugging the holes

An obvious question, then, is why don’t device manufacturers plug all these holes? The good news is that many do. In researching this article, we spoke with quite a few smart home device manufacturers, and all of them responsibly spend time closing off all access to their devices before meticulously opening only those ports and services that are required for proper operation. That still leaves an access target, but it limits it to something the device manufacturer is aware of and hopefully can control.

The important thing to note, though, is that HomeKit’s device specification and certification process does not require manufacturers to perform any security beyond that which relates to HomeKit access. You could theoretically have a HomeKit-enabled device that contains one or more non-HomeKit security holes. Thankfully we haven’t found one yet, but it is most certainly possible. Even in that case, though, the HomeKit transmissions and data would still be secure, and even a hacked device wouldn’t allow access to your iPhone or any of its data. HomeKit keeps all that contained.

What Can I Do To Protect My Devices?

The other thing you can do is to secure your home network. Router manufacturers are in a unique spot to help detect and even prevent these kinds of attacks but, until they’re up-to-speed with this, you need to do the work yourself.

Consider disabling UPnP or NAT-PMP on your router and using manual port forwarding instead. UPnP and NAT-PMP allow your devices to automatically request that certain ports be forwarded to them, and can often be the source of unintentional (or intentional) security holes. By manually forwarding the requested ports you’re in a position to prevent unnecessary external access to your devices in the event some malware makes its way onto one of them in the future.

Additionally, choose devices from known, trusted vendors and ask them about each device you plan to use. Check with us, too. We’re regularly testing these things and we talk about this kind of security on Mac Geek Gab all the time. Check online to see what others say. The bottom line is: do your research, and know that we’re here to help.

8 Comments Add a comment

  1. Full disclosure: I’m an employee of Elgato Systems in Munich…

    Dave, you may want to note that Bluetooth HomeKit accessories like the Elgato Eve range of products are probably the most secure on the IoT market. All Eve accessories only implement HomeKit (HAP) and exclusively use Bluetooth.

    Remote access to those is provided solely through a so-called Home Hub, either Apple TV or an iPad running iOS 10 or later. So the only reasonable way to compromise Bluetooth-only accessories would be to hack Apple TV or an iOS device – both not too likely.

    In addition to other huge advantages, like free placement due to battery power and no filling up of your home Wi-Fi, Bluetooth really shines when it comes to security.

    Cheers,

    f l o r i a n

  2. Dave Hamilton

    @flo_muc: Thanks for offering this. Indeed, I focused solely on Wi-Fi-based HomeKit devices here just to limit the scope, but your comments are appreciated and correct, of course. Bluetooth HomeKit devices offer the most security simply because there is no access any other way.

  3. Doug Petrosky

    I listened to the discussion on Mac Observer on this and couldn’t stop yelling at the phone as if it would help, because are making assumptions you don’t know.

    1) All HomeKit devices have to be sent to Apple for “approval” and you assume Apple only tests the device for HomeKit and not general security. This may be true but it would be odd for Apple to spend so much time harding HomeKit and then approving a device that left SSH open to a default password.

    2) The fact that much of the data coming from many of the devices was not encrypted makes it easier to try to track it back through the firewall. NAT is not a firewall but it obscures addresses on the other side of it so figuring out that an unprotected device is sitting behind an IP address if it is not communicating out in an unsafe way would be more difficult.

    I’m not saying that what you said is not potentially true, just that it is not necessarily true and ether you didn’t’ communicate well how you came to these conclusions or I did understand it.

    Telling people to lock down UPNP and setup port routes sounds like a terrible idea to me.

  4. Dave Hamilton

    @Doug: I made no assumption here. I researched this for weeks, and every single company I spoke with (both on and off-the-record) confirmed what I wrote above:

    HomeKit’s device specification and certification process does not require manufacturers to perform any security beyond that which relates to HomeKit access.

    To add to that: Apple’s testing process does not deny devices based on anything outside the HomeKit spec.

    I know it’s not a fun reality to accept, but it is the correct reality.

  5. Scott B in DC

    Those attacks happened because people like you and me had routers, webcams and other gizmos in our homes that were not properly secured. Some of those security issues are fixable by general users, but many are not.

    I have a novel idea… why not blame the industry for not making it easier to configure routers and other items without having to have earned a degree in computer science?

    We have home thermostats to keep our homes a certain temperature, we do not need to know about HVAC to operate them. We drive cars that, forgetting the current state of bad driving, once we learn how to drive you don’t need to be an engineer or mechanic to drive. In many cases, you can push the button and go.

    The industry has made it too difficult in the name of wanting to be everything to everybody. And instead of fixing the damned roads because they are too dangerous, they keep paving over the current roads while potholes still abound. Without a better model, these issues will continue to exist no matter what anyone tries to do.

    If we learned nothing from this last general election, let’s learn that the status quo is broken and if you don’t get angry and stand up against the status quo, all of these tech companies will just give you the same crap packaged in a shinier veneer to lure the collective ADD to look their way. At least Apple is trying to do “something.” It’s not enough but it’s easier than spitting into the proverbial wind!

  6. I think that one of the main issues with routers is the education curve on how to configure one properly. Port Forwarding / NAT and the other concepts involved are beyond most users I think. I see most people just plug in their wifi router and very few I have dealt with ever knew that these things were even configurable, or how to do it. I think that bye default these options should be off from the manufacturer. It would force people to maybe understand a bit of what is actually going on. Dave, I love both articles that you wrote about Homekit security. I think a primer on routers would be a great service if you wanted to write one, or point people in the right direction on how to find the information.

Add a Comment

Log in to comment (TMO, Twitter, Facebook) or Register for a TMO Account