Is HomeKit More Secure? (11 KEY Reasons Why!)
Security is important, especially when we’re talking about our own smart homes.
As such, when you’ve looked through the options of Amazon Alexa, Google Home, and Apple HomeKit, you may have asked yourself this question:
“Is HomeKit more secure?”
I too was curious about this so I conducted some deep research on this topic and found a definitive answer.
Here’s what I found:
HomeKit is more secure than other smart home ecosystems. HomeKit has strong security features such as two-factor authentication, Ed25519 key-pair encryptions, and secure data communication protocols to HomeKit devices and to iCloud. HomeKit-compatible devices need to join the MFi program to ensure high security.
Now you know the gist of HomeKit’s security!
In this article, I will cover why HomeKit is more secure and do a summarized comparison between its competitors.
Read on for more!
1. Short Introduction To Apple HomeKit
With so many choices of smart home ecosystems out there, it can get really intimidating trying to understand which is best for you.
In this article, we’ll just focus on the star of the show when it comes to security: Apple HomeKit!
Apple HomeKit is a central place for (typically) Apple device users to control all the smart devices in their home using their Apple devices.
This has made it ultra-easy for Apple users to control their home with any device they happen to be interacting with at home!
Apple, however, does not produce its own smart devices like smart lights, smart switches, etc!
Instead, smart device manufacturers need to be HomeKit-compatible in order for them to show up and be compatible with the Home app on the Apple App Store.
I’ll elaborate on this very important point later on!
In order for HomeKit to be used, it has to have a home hub that can act as the central “control panel” for controlling smart home devices which include:
- HomePods (Now replaced with HomePod Minis)
- HomePod Minis
- Apple TVs
However, once a home hub is set up, Apple users can control their smart home using an iPhone, iPad, and Mac using the in-built Home app in iOS, iPadOS, and macOS.
If you are wondering if Apple HomeKit is worth it, or just want to know more about it, check out this other article I wrote here:
2. Why Is HomeKit More Secure? (Detailed answer)
In order to answer why HomeKit is more secure, we need to understand 2 things to make a conclusion: (a) Apple HomeKit’s security features, and (b) how HomeKit compares to other smart home ecosystems.
(a) Apple HomeKit’s Security Features
Now that you have a very basic understanding of what HomeKit is, you’ll need to understand the strongest selling point of Apple HomeKit – its security features!
While many choose to begin an Apple HomeKit smart home because they simply love Apple, MANY consider it because of its very high-security protocols compared to its competitors.
Here are some of Apple HomeKit’s security features:
(i) HomeKit’s High Security Standards for Their HomeKit-Compatible Devices
Firstly, HomeKit has very high-security standards for their HomeKit compatible devices.
As such, there’s a stringent process for manufacturers looking to adhere to its high-security standards.
For example, in order for a smart light manufacturer to “work with Apple HomeKit” or rather, enjoy entry to the HomeKit ecosystem, they need to jump through many hoops.
More specifically, most manufacturers need to go through a series of approvals, certifications, manufacturing, and business-related problems for this.
This includes going through the tedious MFi (Made for iPhone/iPod/iPad) licensing program.
MFi licensees get access to:
- HomeKit Accessory Protocol Specification (commercial version).
- Third-party SDKs for commercial development.
- “Works with Apple HomeKit” certification and tools.
- Logo artwork and identity guidelines.
Only when they are officially certified, can they “work with Apple HomeKit” and interact with the ecosystem. As shown in the picture below!
This can really bump up the prices of HomeKit devices though! Check out this article I wrote on why HomeKit devices are so expensive:
(ii) HomeKit Data Security
HomeKit also has solid data security.
According to Apple, the data that is shared in HomeKit among iOS, iPadOS, and macOS devices is done so through a key-encrypted process using iCloud and iCloud keychain only.
And because it’s encrypted by keys only on a user’s iOS, iPadOS, and macOS devices, they are not accessible by any other party during data transmission or on iCloud.
When a HomeKit home has multiple users, HomeKit data is shared using authentication based on Ed25519 public keys and is encrypted.
Subsequently, the controls and commands to the home are extended to the new user.
After a new user is added to a home, all further communication is authenticated and encrypted using Station-to-Station protocol and per-session keys.
When some apps require access to HomeKit data, they will be asked to grant access ONLY according to the user’s Privacy settings. Once a user approves, access will be granted for apps to receive some of this data.
However, in the future, with iOS 15 SDK beta, new smart home apps that work with Matter, will have a secure and seamless connection.
So keep a lookout for Matter!
Any data stored locally is encrypted using keys derived from the user’s HomeKit identity keys, plus a random nonce.
HomeKit data is stored using the Data Protection class Protected Until First User Authentication.
Not forgetting Apple also has high platform security across all its devices!
(iii) HomeKit Communication Security
Apple is also really serious when it comes to communication security.
“HomeKit provides a home automation infrastructure that uses iCloud and iOS, iPadOS and macOS security to protect and sync private data without exposing it to Apple.”Apple
What’s special about HomeKit compared to the other smart home ecosystems is that its identity and security are based on Ed25519 public-private key pairs.
This means only the private keys are stored on your devices, and they are needed to authenticate data transfers. They are stored in Apple Keychain, a password management system by Apple.
As Apple doesn’t have access to your private keys, they can’t access your data when it is communicated.
Communication Between HomeKit-Compatible Devices and Apple Devices:
When you add a HomeKit accessory to HomeKit, they generate their own Ed25519 key pair for communicating with your Apple devices.
To do this, keys are exchanged between the HomeKit-compatible devices and your Apple devices using Secure Remote Password (3072-bit) protocol utilizing an eight-digit code provided by the accessory’s manufacturer, entered on the iOS or iPadOS device by the user.
This is then encrypted using ChaCha20-Poly1305 AEAD with HKDF-SHA512 derived keys.
Remember I mentioned the MFi certification that manufacturers need to get earlier in this article?
This is also verified during this setup process!
When HomeKit-Compatible devices communicate with your Apple devices, they authenticate each other by exchanging their keys.
Each session is established using the Station-to-Station protocol and is encrypted with HKDF-SHA512 derived keys based on per-session Curve25519 keys.Apple
HomeKit’s communication can sometimes be a little wonky, and you may have even experienced some “No Response” errors in your Home app.
Check out this article on 7 solutions you can take to resolve this issue:
Communication Between HomeKit-Compatible Devices and iCloud:
When information is communicated between HomeKit-compatible devices and iCloud, it presents its certificate and a pass.
The pass is obtained from a different iCloud server and it isn’t unique for each accessory.
When an accessory requests a pass, it includes its manufacturer, model and firmware version in its request.
No user-identifying or home-identifying information is sent in this request. To help protect privacy, connection to the pass server isn’t authenticated.Apple
When accessories connect to the iCloud remote access server using HTTP/2, they are secured using TLS 1.2 with AES128-GCM and SHA256, and will stay connected to send and receive notifications as they drop in.
(iv) Apple’s Platform Security
Apple as a platform has robust security too!
They focus on these few:
- Hardware security
- System security
- Encryption and Data Protection
- App security
- Services security
If you’d like to read more on these topics, check out Apple’s platform security page here.
(b) Comparison Among Smart Home Ecosystems
Just looking at Apple HomeKit isn’t enough. How does it fare with other smart home ecosystems?
To save time and effort in reading, I made a concise comparison table:
|Security Standards for Compatible Devices||Data Security||Communication Security||Platform Security|
As seen in the table above, the Apple HomeKit system is the clear winner when it comes to security.
I came up with these conclusions while looking through the security pages of Apple, Google, and Amazon.
Apple’s HomeKit is the only one that has requires both authentication and encryption when it sends data between its devices.
Moreover, the encryption used by Apple is based on keys, which allow data only to be accessed by keys from your device.
Information that needs to be stored is then stored securely in iCloud.
Siri also has been shown in some studies that it is the most private of all the virtual/voice assistants!
For Google Home, while it has good security standards, they offer support for many smart home IoT devices which does not require a stringent enrolment like the MFi licensing program by Apple.
Oh by the way if you’re wondering if Google Home and Apple HomeKit can be used together, check out this article I wrote with the answer inside!
Amazon’s Alexa really loses out in security compared to the rest. There are constant complaints of Alexa listening to conversations.
This is because Amazon has a specially dedicated team that listens to users’ conversations to look at how to best optimize Alexa.
In fact, compared to Apple’s high-security standards, Amazon loses out by a huge margin. Alexa also approves 234 policy-violating skills on their skill store.
3. Where Is HomeKit Data Stored?
HomeKit data is stored in iCloud. The HomeKit data stored in iCloud is encrypted using keys that are available only on a user’s Apple devices, and cannot be accessible by any other party during data transmission or within iCloud storage.
4. Does HomeKit Backup To iCloud?
HomeKit does backup to iCloud. This backup is secure and is encrypted using keys that are only accessible by a user’s Apple devices. The backup cannot be accessed during data transfer or from iCloud by even Apple.
5. Is HomeKit Secure Video More Secure Than Other Subscriptions?
HomeKit Secure Video is more secure than other small home video subscriptions. All recordings from from HomeKit Secure Video cameras are analysed privately on Apple devices at home and then sent securely to iCloud through end-to-end encryption.
6. Are HomeKit Devices More Secure?
HomeKit devices are more secure than other smart home devices. HomeKit devices have to go through the MFi program by Apple which entails rigorous standards for initial approval and ongoing regulation by Apple to remain in it. Smart home devices not working with HomeKit do not go through such a stringent process.
7. Is HomeKit More Secure than Alexa?
HomeKit is more secure than Alexa. HomeKit data is securely transmitted among HomeKit devices, and from HomeKit devices to the secure iCloud remote access server through an encrypted process. Alexa, however, has been known to be more prone to security issues despite its encrypted data transmissions.
8. Is HomeKit Private?
HomeKit is private. HomeKit’s Home app uses end-to-end encryption to transmit to all HomeKit accessories. All HomeKit data is stored in the iCloud Keychain of a user’s Apple device. Apps and devices that work with HomeKit have to work strict developer guidelines to ensure high standards of quality.
9. Is Siri Safer Than Alexa?
Siri is safer than Alexa. Siri is safe because it does not collect data for ads like Alexa does, which if hacked, can be unsafe. More specifically, siri does not run any behavioral ads, third-party tracking, track users or setup an ad profile which Alexa does.
Refer to this article for more information.
10. Are Digital Assistants In The Home Safe?
Digital assistants in the home are generally not safe, although precautions are taken by tech companies to ensure that they are. Digital assistants, like all electronic devices, are vulnerable to hacks, especially when the user is unaware of keeping up to date with the most secure software and hardware.
11. Can Apple HomeKit Be hacked?
Apple HomeKit can be hacked. In rare cases in the past, Apple HomeKit had a software bug which allowed hackers to access smart locks. Researchers have also found a ‘doorLock’ DoS bug in Apple HomeKit which can render Apple devices unresponsive. However, Apple HomeKit is very secure and is unlikely to be hacked.
Well, now you know all the effort that Apple puts into making sure that security and privacy are ensured in their products and services, including HomeKit.
As evidenced in this article, HomeKit is way more secure than any other smart home ecosystem.
In fact, if you are looking to starting with a very robust, secure, and private system, then Apple’s HomeKit is for you!
However, Apple HomeKit is not perfect. Read this article to find out why some people think it’s so bad.
That’s all and thanks for reading this article. Stay smart and keep hacking up your homes!
- eero Beacons & Functions: 17 KEY Things To Know!
- Is HomeKit More Secure? (11 KEY Reasons Why!)
- Google Home & HomeKit Together: Possible? (Read This First!)
- Apple HomeKit No Response Errors: 7 Solutions (SOLVED!)
- Is Apple HomeKit Worth It? (16 KEY Reasons Why!)
- Why Is HomeKit So Bad? (11 Reasons You Should Know!)