Date: Monday, October 24th, 2016, 05:02
Category: Hack, Hardware, HomeKit, News, security
Following up on the large-scale distributed denial of service (DDoS) attack on Friday that temporarily took down large chunks of the Internet, it looks like Apple’s controversial “walled garden” approach to its HomeKit devices may have worked out.
As detailed in recent reports, the attack, which also targeted unprotected “Internet of Things” (IoT) devices, focused on Dyn, an internet management company that provides DNS services to many major web entities.
A series of repeated attacks caused websites including The Verge, Imgur and Reddit, as well as services like HBO Now, and PayPal, to see slowdowns and extended downtimes. Follow-up waves played havoc with The New York Times, CNN, Netflix, Twitter and the PlayStation Network, among many others.
Though Dyn was initially unable to nail down a source, subsequent information published by security research firm Flashpoint revealed the targeted attacks involved a strain of the Mirai malware, reports Brian Krebs. Krebs has firsthand experience with Mirai, as the malware was deployed in a DDoS attack that brought down his website, KrebsOnSecurity, in September.
The Mirai malware hunts the web for IoT devices using the default username and password combinations. Once located, the malware infiltrates and uses poorly protected hardware to facilitate a DDoS attack on an online entity, in this case Dyn.
As it turned out, DVRs and IP cameras like those made by Chinese company XiongMai Technologies contain a grievous security vulnerability and are in large part responsible for hosting the botnet. Once accessed, they provided a large part of the bonnet that was used in the attack.
To prevent another Mirai attack, or a similar assault harnessing IoT hardware, offending devices might require a recall, Krebs says. Short of a that, unplugging an affected product is an effective stopgap.
Apple’s HomeKit devices, which incorporate built-in end-to-end encryption, protected wireless chip standards, remote access obfuscation and other security measures designed to thwart hacks, were able to withstand the attack and not be turned into part of the botnet participating in Friday’s DDoS attack.
Announced in 2014 alongside iOS 8, HomeKit debuted as a secure framework onto which manufacturers of smart home products can lattice accessory communications. Specifically, the system uses iOS and iCloud infrastructure to securely synchronize data between host devices and accessories.
Apple details HomeKit protections in a security document posted to its website, noting the system’s reliance on public-private key pairs.
First, key pairs are generated on an iOS device and assigned to each HomeKit user. The unique HomeKit identity is stored in Keychain and synchronized to other devices via iCloud Keychain. Compatible accessories generate their own key pair for communicating with linked iOS devices. Importantly, accessories will generate new key pairs when restored to factory settings.
Apple uses the Secure Remote Password (3,072-bit) protocol to establish a connection between an iOS device and a HomeKit accessory via Wi-Fi or Bluetooth. Upon first use, keys are exchanged through a procedure that involves entering an 8-digit code provided by the manufacturer into a host iPhone or iPad. Finally, exchanged data is encrypted while the system verifies the accessory’s MFi certification.
When an iPhone communicates with a HomeKit accessory, the two devices authenticate each other using the exchanged keys, Station-to-Station protocol and per-session encryption. Further, Apple painstakingly designed a remote control feature called iCloud Remote that allows users to access their accessories when not at home.
Accessories that support iCloud remote access are provisioned during the accessory’s setup process. The provisioning process begins with the user signing in to iCloud. Next, the iOS device asks the accessory to sign a challenge using the Apple Authentication Coprocessor that is built into all Built for HomeKit accessories. The accessory also generates prime256v1 elliptic curve keys, and the public key is sent to the iOS device along with the signed challenge and the X.509 certificate of the authentication coprocessor.
Apple’s coprocessor is key to HomeKit’s high level of security, though the implementation is thought to have delayed the launch of third-party products by months. The security benefits were arguably worth the wait.
So, while you may have had to wait a while for the HomeKit protocol and devices to come to market, it may have been worth the wait where security is concerned.