Khaos Tian handled his discovery responsibly, by reporting it to Apple on the day he discovered it, October 28. But he says the issue remained live throughout November, and the next iOS release actually made things worse …
The vulnerability comprised two issues, he explains. First, while it should be impossible for anyone to discover the unique identifiers for a HomeKit device, two separate bugs meant that it was possible for someone to figure it out – without any authorization to access the home.
Second, when a non-authorized person sent a command to a HomeKit device, HomeKit didn’t do anything to verify the sender, it simply allowed the command through. The issue was particularly worrisome given that it allowed full control of smart locks.
