HomeKit accessories and iCloud
Note: Whenever possible, access services directly through a home hub instead of through iCloud. For example, use a hub such as HomePod, Apple TV, or iPad.
iCloud remote access is still supported for legacy HomeKit devices. Apple carefully designed those devices so that users can control them and send notifications to them without revealing to Apple what the accessories are or what commands and notifications are being sent. HomeKit never sends information about the home over iCloud remote access.
Mutual authentication of an accessory and an Apple device
When a user sends a command using iCloud remote access, the accessory and iOS, iPadOS, and macOS device are mutually authenticated and data is encrypted using the same procedure described for local connections. The contents of the communications are encrypted and not visible to Apple. The addressing through iCloud is based on the iCloud identifiers registered during the setup process.
Accessory setup process
Accessories that support iCloud remote access are provisioned during the accessory’s setup process. The provisioning process begins with the user signing in to iCloud. Next, the iOS, and iPadOS device asks the accessory to sign a challenge using the Apple Authentication Coprocessor that’s built into all Built for HomeKit accessories. The accessory also generates prime256v1 elliptic curve keys, and the public key is sent to the iOS, and iPadOS device along with the signed challenge and the X.509 certificate of the authentication coprocessor. These are used to request a certificate for the accessory from the iCloud provisioning server. The certificate is stored by the accessory, but it doesn’t contain any identifying information about the accessory, other than it has been granted access to HomeKit iCloud remote access. The iOS, and iPadOS device that is conducting the provisioning also sends a bag to the accessory, which contains the URLs and other information needed to connect to the iCloud remote access server. This information isn’t specific to any user or accessory.
Accessory list of allowed users
Each accessory registers a list of allowed users with the iCloud remote access server. These users have been granted the ability to control the accessory by the user who added the accessory to the home. Users are granted an identifier by the iCloud server and can be mapped to an iCloud account for the purpose of delivering notification messages and responses from the accessories. Similarly, accessories have iCloud-issued identifiers, but these identifiers are opaque and don’t reveal any information about the accessory itself.
How accessories connect to iCloud remote access server
When an accessory connects to the HomeKit iCloud remote access server, it presents its certificate and a pass. The pass is obtained from a different iCloud server, and it isn’t unique for each accessory. When an accessory requests a pass, it includes its manufacturer, model, and firmware version in its request. No user-identifying or home-identifying information is sent in this request. To help protect privacy, connection to the pass server isn’t authenticated.
Accessories connect to the iCloud remote access server using HTTP/2, secured using TLS 1.2 with AES128-GCM and SHA256. The accessory keeps its connection to the iCloud remote access server open so that it can receive incoming messages and send responses and outgoing notifications to iOS, iPadOS, and macOS devices.