Security Vulnerability in Apple's HomeKit

The story of the recent vulnerability in Apple's HomeKit.

Posted on December 21, 2017 at 6:49 AM • 13 Comments

Comments

RanizDecember 21, 2017 7:21 AM

Apple has lost a lot of cred in the security department for me lately. I probably wouldn't consider any of their products earlier either due to their intense eco-system lock-in and the fact that I generally don't like their UX but lately they've gone from not interensted to avoid.

fredDecember 21, 2017 8:31 AM

wow do I think I'm beating a dead horse here.
What problem does a internet enabled lock solve that a spare key doesn't?

Why dose Apple invest millions to setup and maintain a server farm for you to unlock your door?

Data mining sucks and is NOT in your best interest no matter how shiny the new tech toy is.

Clive RobinsonDecember 21, 2017 10:16 AM

So two probs,

1, lack of authentication
2, Assumption about obscurity

These are not exactly new classes of security vulnerabilities. So in theory should have been checked for...

But that's not the point people should be taking away from this.

Ask yourself "How many products of this complexity do not have bugs on shipping?"

Which gives rise to a more intetesting question of "How many bugs can not be leveraged into becoming vulnerabilities?"

Bear in mind that bugs we used to think were not vulnerabilities later became new classes of attack vector...

Now ask if you realy need to spend ridiculously large amounts of money on real "back door vulnerabilities" just to be a Fanboi or equivalent no knowledge geeky type.

I guess at the end of the day is the real question of "When are insurance companies going to wake up to this and adjust premiums and other aspects of your home insurance?" to the point it either kills the market for such devices or the industry pulls it's socks up and gets a certification system like UL in place...

JordanDecember 21, 2017 12:02 PM

@Clive Robinson: It doesn't sound like either lack of authentication *or* assumption of obscurity, or at least not precisely.

In order for HomeKit to do something, the message needs to contain a unique identifier that identifies the object (accessory, scene, or room) in the home. Normally it should be impossible for anyone to figure out the unique identifier for those objects unless you are actually authorized to access that home in HomeKit.

So each device has a secret name, and if you know the secret name then you can access the device. That's a form of authentication, and isn't any more dependent on obscurity than a traditional password or crypto key scheme is. You have to keep a secret, and having that secret gives you access.

The problem seems to have been that they had a bug that leaked the secret.

(Could it have been *better* authentication? Probably. Conflating something's name with the secret used to access it makes it very easy to let the secret leak, since lots of things might need to know a name and fewer should know the secret.)

Clive RobinsonDecember 21, 2017 12:12 PM

@ Raniz,

Apple has lost a lot of cred in the security department for me lately.

Not just security it would appear.

Apple are quite deliberatly slowing older phones down and failed to tell people they were doing so...

Now they've been "caught in the act". Thus people have said it's a con by Apple to make them buy a new phone...

Only after the story became known and the accusations got "Writ Large" on the Internet did come out to say it's to protect the phone electronics with aging batteries...

Whilst their may be truth in this, it begs the question as to why Apple designed their electronics in a way that would be damaged under these very much expected aging battery issues...

https://www.npr.org/sections/thetwo-way/2017/12/21/572538593/apple-says-it-slows-older-iphones-to-save-their-battery-life

hmmDecember 21, 2017 12:22 PM

"So each device has a secret name, and if you know the secret name then you can access the device. That's a form of authentication, and isn't any more dependent on obscurity than a traditional password or crypto key scheme is. You have to keep a secret, and having that secret gives you access."

Except users can change a password. (usually)

Once that secret name is discovered, there is no security - it can't be changed.

Clive RobinsonDecember 21, 2017 12:28 PM

@ Jordan,

So each device has a secret name, and if you know the secret name then you can access the device. That's a form of authentication, and isn't any more dependent on obscurity than a traditional password or crypto key scheme is.

Err no a "secret name" for a device is not an authentication method that any one with any knowledge of why "secrets" leak would accept. Simplistically it could/would be sent as "plaintext". In a similar way that your "account name" is frequently sent as part of your Email address so should not be used as an authentication secret.

Authentication Secrets should never be shared period. Especially across a communications system. Device names should never be considered an authentication secret because they can and will be shared by all the users of the device. Thus as a secret it has no uniqueness to the user about it thus atribution for misuse can not be uniquely assigned. Which is a security no no at the best of times (and people get sacked for sharing accounts and passwords all the time)

It's just a realy realy bad idea and should no more be used than sending login passwords in plaintext across the Internet.

JordanDecember 21, 2017 2:05 PM

@Clive Robinson: Agreed, it's not good authentication. But it's also not a "secret" key buried in the source code, which is what "no authentication" and "security by obscurity" usually suggests.

Whether it's sent in cleartext we don't know, but to share a device you'd have to share the one-and-only secret for that device, and that's bad.

As I think on it more, in addition to to the problem with conflating the name with the authentication secret, they've conflated authentication with authorization (as many systems do). If you authenticate with the one-and-only secret then you're authorized, and to be authorized you must authenticate with the one-and-only secret. They should really arrange that I authenticate as myself, and you authenticate as yourself, and I grant you authorization to control my device. You don't have to know my secrets; you only have to know your secrets.

Petre PeterDecember 22, 2017 9:32 AM

@Clive Robbinson

Authentication Secrets should never be shared period.

Excellent point. It seems like a case of mistaken authentication for identification. Authentication can be split in something i know, something i have, something i am. Authentication proves who i am which is different than identification(here is who i am).

SofaDecember 22, 2017 10:44 AM

@Clive

You're mistaken Apple designs their electronics this way intentionally poorly. That can be proven by taking apart their designs and seeing how much extra care goes into them:
Macbook charger teardown: The surprising complexity inside Apple's power adapter

I completely agree their communication needed to be better, but arguing Li-Ion batteries are turnkey is incorrect. Much like a car needing oil changes and major services every X thousand miles technology needs updates and wear items replaced. Batteries are wear items. There is no business case for making your customers so angry they go elsewhere long-term.

They should have notified, and presented the options of free replacement with AppleCare or $79 without so people KNEW, but the design is still correct and well done. After all, no company wants Samsung tiki torches like the Note 7.

See this post for an excellent explanation without hyperbole:
Apple Addresses Why Some iPhones With Older Batteries Are Benchmarking Slower

- Sofa

Clive RobinsonDecember 22, 2017 12:04 PM

@ Sofa,

You're mistaken Apple designs their electronics this way intentionally poorly.

Oh I would not disagree with that.

Funny story for you...

Apple makes a great deal of money on selling spares such as extra / replacment chargers. The mark up they add is atleast 4000%... Which encorages "Chinese Knock Offs" to cash in. Which obviously upsets Apple who complain vociferously to the authorities... In the UK it falls on "Trading Standards Officers" who generaly are over worked under payed for the risk and under appreciated.

I used to give "expert opinion" and was contacted by a TSO over some "fake Apple chargers". The only way you could tell them appart from the outside was the attached "evidence" stickers. I was asked to appraise their safety so I cracked a couple open and examined them in a number of --fairly dull-- ways. I was supprised at the quality of the build as it was realy quite high compared to other knock offs I'd previously examined. I checked back with the TSO to see if there had been a mistake in the evidence collection / marking. After a small investigation our fears were confirmed when on cracking a supposadly genuine Apple product the guts were shoddy realy shoddy and I certainly would not give one house room.

Any way to cut a long story short other Apple confirmed parts were cracked and showed the same shoddy build standard... The TSO did procead to prosecute the person who had been retailing the fakes. However what would have been a big part of the case --that they were dangerous-- had to be dropped.

As I only half joking said to the TSO, maybe they should go after Apple for shoddy workmanship... To this day I still do not know how on earth they got a CE mark on them... I'm glad to say that more modern chargers from Apple appear to be a bit better built these days but "bit" is most definately quallified...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.