While people are purchasing Internet of Things devices at record numbers, most people are not looking at the security implications of them.
Given that, here is something to ponder.
Apple, like every other company on the planet, is trying to capitalize on the IoT craze. They sell software that allows developers to build software to control home automation. From your iDevice and iCloud.
Home automation is, of course, an example of IoT and even though this software is sold by Apple, it suffers from the same problems as all other software. Bugs.
The particular bug in question is kind of important. Among other things, it allows non-authorized users to unlock your doors and open your garage. Not a great idea from a security standpoint.
And, kind of like the problem that caused the Equifax breach, this problem was caused by a problem with the Apple Homekit framework.
The good news is after the bug was announced, Apple was able to make some server side changes that blocked the attack. It also disabled some functionality, but that is certainly preferable to allowing anyone on the planet to unlock your door and steal your stuff.
Apple is expected to roll out a fix very soon and, I assume, after allowing some time for people to install the fix, Apple will restore the blocked functionality.
This is not really about beating up Apple. Software is complicated and all software has bugs. In fact, Apple blocked the attack very quickly after being notified.
What it is about is people jumping on the IoT bandwagon without understanding the implications – security implications of the jump. It is great that people want to adopt new technology, but will they they be so happy when the technology isn’t quite perfect. If they don’t implement the controls needed to make the use of the software secure.
Recently, my dishwasher broke and when the service person came to fix it, he had to patch the dishwasher software before he left. It turns out the patch was related to a safety problem (as in the dishwasher catching fire), so I am glad that he patched it, but, to be honest, if the dishwasher hadn’t broken it would still be a safety problem because I HAVE NO CLUE AS TO HOW TO PATCH MY DISHWASHER. Do you know how to patch YOUR dishwasher? This is one of the problems with IoT.
The good news is that since this attack was blocked very quickly, the damage was minimal. If this wasn’t Apple and it wasn’t blocked within 48 hours, there could have been more damage.
IoT, in spite of the craze and the expectation of the deployment of 20 billion devices in the next few years, it is still, at this time, a niche item. The vast majority of homes do not have door locks controlled by their iPhone. But that, likely, won’t last and when it takes hold we better have this security thing figured out.
Information for this post came from 9to5Mac.