iCloud remote access for HomeKit accessories
Some legacy HomeKit accessories still require the ability to connect directly with iCloud to enable iOS, iPadOS and macOS devices to control the accessory remotely when Bluetooth or Wi-Fi communication isn’t available. Remote access via a home hub (such as HomePod, Apple TV or iPad) is preferentially used whenever possible.
iCloud remote access is still supported for legacy devices, and has been carefully designed so that accessories can be controlled and send notifications without revealing to Apple what the accessories are, or what commands and notifications are being sent. HomeKit doesn’t send information about the home over iCloud remote access.
When a user sends a command using iCloud remote access, the accessory and iOS, iPadOS and macOS device are mutually authenticated and data is encrypted using the same procedure described for local connections. The contents of the communications are encrypted and not visible to Apple. The addressing through iCloud is based on the iCloud identifiers registered during the setup process.
Accessories that support iCloud remote access are provisioned during the accessory’s set-up process. The provisioning process begins with the user signing into iCloud. Next, the iOS and iPadOS device asks the accessory to sign a challenge using the Apple Authentication Coprocessor that’s built into all Built for HomeKit accessories. The accessory also generates prime256v1 elliptic curve keys and the public key is sent to the iOS and iPadOS device along with the signed challenge and the X.509 certificate of the authentication coprocessor. These are used to request a certificate for the accessory from the iCloud provisioning server. The certificate is stored by the accessory, but it doesn’t contain any identifying information about the accessory, other than it has been granted access to HomeKit iCloud remote access. The iOS and iPadOS device that is conducting the provisioning also sends a bag to the accessory, which contains the URLs and other information needed to connect to the iCloud remote access server. This information isn’t specific to any user or accessory.
Each accessory registers a list of allowed users with the iCloud remote access server. These users have been granted the ability to control the accessory by the user who added the accessory to the home. Users are granted an identifier by the iCloud server and can be mapped to an iCloud account for the purpose of delivering notification messages and responses from the accessories. Similarly, accessories have iCloud-issued identifiers, but these identifiers are opaque and don’t reveal any information about the accessory itself.
When an accessory connects to the HomeKit iCloud remote access server, it presents its certificate and a pass. The pass is obtained from a different iCloud server, and it isn’t unique for each accessory. When an accessory requests a pass, it includes its manufacturer, model and firmware version in its request. No user-identifying or home-identifying information is sent in this request. To help protect privacy, connection to the pass server isn’t authenticated.
Accessories connect to the iCloud remote access server using HTTP/2, secured using TLS v1.2 with AES-128-GCM and SHA-256. The accessory keeps its connection to the iCloud remote access server open so that it can receive incoming messages and send responses and outgoing notifications to iOS, iPadOS and macOS devices.