HomeKit security tips

HomeKit is Apple’s smart home framework, enabling a wide range of third-party products, from locks and security cameras to curtains, lights and thermostats, to be controlled via the Home app on an iPhone or iPad. It’s Apple’s take on the internet of things (IoT).

But IoT, being relatively new, is not without its issues, and HomeKit has its share of these. At the more extreme end, many security experts worry that hackers may be able to get access to unsecured smart home setups, which could be merely inconvenient in some cases but a genuine danger in others. And ransomware, locking up devices around your home until you pay the hacker, is another concern.

With this in mind we’ve put together a guide to HomeKit security: tips that will help you stay safe in the internet of things and get yourself some peace of mind. HomeKit is generally very reliable and secure, but it pays to be safe.

(For more general advice, take a look at our iPhone security tips.)

Don’t panic…

IoT is going to be a popular attack vector for hackers, because it’s new, and getting lots of interest, and not everyone getting involved with it knows what they’re doing and so may leave themselves vulnerable. And because it massively widens the scope of what hackers can access – not just computers or phones, but the appliances all around us.

But you shouldn’t proceed from this assessment of the likely risks to panic. You probably won’t get hacked. Most IoT setups are secure. Apple is particularly strong at security, and even though it isn’t perfect and flaws are discovered from time to time, these get a lot of press converge which gives you plenty of warning and encourages the company to issue patches quickly.

…but prepare for the worst

I divided IoT devices above into two categories: those that would present an inconvenience if they were hacked, and those that would present a danger. Into the latter category I would include door locks, most obviously, but losing control of your thermostat in winter could be similarly debilitating.

IoT and HomeKit security in particular is generally strong, and you are unlikely to be hacked. But when planning a smart home, it’s best to prepare for the worst-case scenario, because getting locked out (or letting burglars in) would be such a colossal pain in the neck.

Our inclination is to adopt HomeKit devices in a tiered approach: start with lights and other convenience-based devices which wouldn’t be a catastrophe if they were compromised, then move on to the ‘critical’ installations such as door locks only once you’re satisfied that HomeKit is reliable enough to depend on.

Prepare fallbacks for critical devices

If you decide that you are prepared to install what I would call ‘critical’ smart devices such as door locks, it’s worth considering if you’ll need a non-smart fallback in case something goes wrong. If your smart thermostat was compromised, for instance, would you be prepared and able to heat your home while you waited for it to be fixed? (Having a number of reliable and powerful storage heaters on the premises would be an obvious stopgap solution here.)

Doors are a funny one. Many early adopters are choosing to have two locks – the smart one that they will use day-to-day for convenience, and an old-fashioned one that will be engaged as well when leaving the house untenanted for longer (just as many people in the non-tech world use a Yale and mortice lock pairing) for greater security. But remember that being locked out of your house would be a pain too, and this is one problem that a secondary lock wouldn’t help.

Check regularly for iOS updates

It’s the view of security professionals and tech experts that iOS is a more secure platform than Android, and Apple in general has a very good reputation in this area. But neither are perfect, and there have been a number of flaws and bugs discovered in Apple software recently. In each case the solution to the flaw has been a patch.

This is why it is so important to make sure that the iOS device you use to control your HomeKit devices is up to date. Check regularly for updates; if a flaw is discovered, you want to make sure you get the patch as soon as possible.

(For this reason it’s also worth taking an active interest in tech security news, so that you know about any dangers as early as possible. It can be a dry subject, but it’s important.)

Use devices from reputable manufacturers only

This shouldn’t be a problem because HomeKit won’t work with a device unless it’s been passed for Apple’s MFi programme. (This is verified during setup, at the same time that the security key is exchanged.) But nobody’s perfect, and we would recommend performing your own due diligence on a product and its maker before taking the plunge.

Here is Apple’s list of certified products.

Check privacy settings

Open your linked iOS device and open the Settings app, then tap Privacy. Scroll down and tap HomeKit. Here you will see the apps that have requested access to Home’s data.

Be cautious about sharing access to the network

After you set up an Home network, you’ll be able to add further users. If you give them editing privileges they will be able to add more users, and so on. But it’s important to give access only to people you trust.

Bear in mind that incompetence (or inexperience) can be just as dangerous as malice and is far more common; so think twice before letting your kids have control of critical devices.

Protect linked devices and accounts

One flaw discovered near the end of 2017 related to iCloud security. This allowed a hacker who gained control of someone’s iCloud account to access linked HomeKit devices too.

The flaw has since been dealt with (on the server side, hence requiring no user intervention in this case, although a longer-term patch will be pushed out in an iOS update) but it draws attention to an important aspect of HomeKit security: that the smart home devices themselves are not necessarily the weak link in the chain. A hacker doesn’t necessarily need to have physical access or proximity to your thermostat to get control of it: they could strike via the linked iPhone or iPad, or potentially through your Apple accounts.

In other words, having a HomeKit setup only adds to the importance of securing your devices and accounts – maintain good passcode and password discipline, be careful about letting people borrow or use your phone (whether it’s people you don’t know, or people who might be careless with passwords in their turn), look out for and take action in response to news of vulnerabilities, and so on.