← Back to context

Comment by bushbaba

3 years ago

You do control the keys though, "Because it’s encrypted using keys that are available only on the user’s iOS, iPadOS, and macOS devices"

"The authentication is based on Ed25519 public keys that are exchanged between the devices when a user is added to a home. After a new user is added to a home, all further communication is authenticated and encrypted using Station-to-Station protocol and per-session keys"

"The user who initially created the home in HomeKit or another user with editing permissions can add new users. The owner’s device configures the accessories with the public key of the new user so that the accessory can authenticate and accept commands from the new user. When a user with editing permissions adds a new user, the process is delegated to a home hub to complete the operation. "

https://support.apple.com/guide/security/data-security-sec49...

1 comment

bushbaba

Reply
O__________O  3 years ago

By control, I mean, create, replace, destroy, etc — I would never create keys based on “identity and a random nonce” selected by a third-party.

Also, since you brought it up, appears Ed25519 vulnerability has been reported:

https://www.google.com/search?q=Ed25519+exploit

Also, are these HomeKit “keys” in iCloud backups unencrypted? Meaning that the HomeKit data is encrypted, but the keys are not; to be clear, not saying they are, asking if they are.