On October 21st a large-scale cyber attack hit parts of the Internet in the US and Europe. Responsible for the attack are IoT devices that were hacked and infected with malware dubbed Mirai, which rendered them Botnet slaves. The target of the DDoS attack this time was DNS provider Dyn. A similar attack hit security specialist Brian Krebs in September, despite security researcher Bruce Schneier having warned in January 2014 that barely secured IoT devices like cameras, routers, baby phones and more can be used for cyber attacks. Here’s Elgato CEO Dr. Markus Fest’s statement on the attack, and reasons why Eve devices were – and remain – unaffected:
The DDoS attack on September 21st just scratched the surface of IoT vulnerability issues. An attacker who can install DDoS malware on an IoT device can also install code to affect the device’s operation. Furthermore, it is certainly possible for an attacker to permanently brick the device by overwriting the bootloader and firmware update code. Most people won’t care that much if their device is used in a DDoS attack as long as it continues to function normally, but this attitude would change quickly if millions of devices were to be bricked.
A good litmus test is to ask a device maker for their security white paper, in which they document their overall architecture, algorithms used, and privacy implications. If such a document does not exist (as is often the case), chances are the security architecture was not professionally designed, and hence it is almost certainly and seriously flawed. Initially this may seem counterintuitive, but “security by obscurity” truly is no security at all.
For up-to-date information about Apple iOS security, see this white paper. The section covering HomeKit starts on page 22.
We unequivocally trust that HomeKit is extremely secure and believe that, as a general rule, devices that support non-HomeKit APIs – especially proprietary and undocumented cloud APIs – are significantly less secure. We cannot comment on Apple’s certification requirements for non-HomeKit APIs.
It is important to note that even if a HomeKit accessory was hijacked via flaws in its non-HomeKit APIs, it would not compromise HomeKit as a platform because a HomeKit accessory cannot communicate directly with other HomeKit accessories.
HomeKit-only devices, such as our Eve Light Switch and Eve Energy, among others, are highly secure. The only reasonable attack path is through an iOS device (iPhone or Apple TV), which is much harder to crack than your typical run-of-the-mill IoT cloud-connected accessory. And, in the unlikely event that an attacker does gain control of the iOS device, there is nothing to be gained from spreading malware to a Bluetooth low energy light switch.