HomeKit communication security
HomeKit provides a home automation infrastructure that uses iCloud and iOS, iPadOS, and macOS security to protect and sync private data without exposing it to Apple.
HomeKit identity and security are based on Ed25519 public-private key pairs. An Ed25519 key pair is generated on the iOS, iPadOS, and macOS device for each user for HomeKit, which becomes their HomeKit identity. It’s used to authenticate communication between iOS, iPadOS, and macOS devices, and between iOS, iPadOS, and macOS devices and accessories.
The keys—stored in keychain and are included only in encrypted Keychain backups—are kept up to date between devices using iCloud Keychain, where available. HomePod and Apple TV receive keys using tap-to-setup or the setup mode described below. Keys are shared from an iPhone to a paired Apple Watch using Apple Identity Service (IDS).
Communication between HomeKit accessories
HomeKit accessories generate their own Ed25519 key pair for use in communicating with iOS, iPadOS, and macOS devices. If the accessory is restored to factory settings, a new key pair is generated.
To establish a relationship between an iOS, iPadOS, and macOS device and a HomeKit accessory, keys are exchanged using Secure Remote Password (3072-bit) protocol utilizing an eight-digit code provided by the accessory’s manufacturer, entered on the iOS, iPadOS device by the user, and then encrypted using ChaCha20-Poly1305 AEAD with HKDF-SHA512 derived keys. The accessory’s MFi certification is also verified during setup. Accessories without an MFi chip can build in support for software authentication in iOS 11.3 or later.
When the iOS, iPadOS, and macOS device and the HomeKit accessory communicate during use, each authenticates the other using the keys exchanged in the above process. Each session is established using the Station-to-Station protocol and is encrypted with HKDF-SHA512 derived keys based on per-session Curve25519 keys. This applies to both IP-based and Bluetooth Low Energy (BLE) accessories.
For BLE devices that support broadcast notifications, the accessory is provisioned with a broadcast encryption key by a paired iOS, iPadOS, and macOS device over a secure session. This key is used to encrypt the data about state changes on the accessory, which are notified using the BLE advertisements. The broadcast encryption key is an HKDF-SHA512 derived key, and the data is encrypted using ChaCha20-Poly1305 AEAD algorithm. The broadcast encryption key is periodically changed by the iOS, iPadOS, and macOS device and updated to other devices using iCloud as described in HomeKit data security.
HomeKit and Siri
Siri can be used to query and control accessories, and to activate scenes. Minimal information about the configuration of the home is provided anonymously to Siri, to provide names of rooms, accessories, and scenes that are necessary for command recognition. Audio sent to Siri may denote specific accessories or commands, but such Siri data isn’t associated with other Apple features such as HomeKit.
Siri-enabled HomeKit accessories
Users can enable new features like Siri, and other HomePod features like timers, alarms, intercom, and doorbell, on Siri-enabled accessories using the Home app. When these features are enabled, the accessory coordinates with a paired HomePod on the local network that hosts these Apple features. Audio is exchanged between the devices over encrypted channels using both HomeKit and AirPlay protocols.
When Listen for Hey Siri is turned on, the accessory listens for the “Hey Siri” phrase using a locally running trigger-phrase detection engine. If this engine detects the phrase, it sends the audio frames directly to a paired HomePod using HomeKit. The HomePod does a second check on the audio and may cancel the audio session if the phrase doesn’t appear to contain the trigger phrase.
When Touch for Siri is turned on, the user can press a dedicated button on the accessory to start a conversation with Siri. The audio frames are sent directly to the paired HomePod.
After a successful invocation of Siri is detected, the HomePod sends the audio to Siri servers and fulfills the user’s intent using the same security, privacy, and encryption safeguards that the HomePod applies to user invocations made to the HomePod itself. If Siri has an audio reply, then Siri’s response is sent over an AirPlay audio channel to the accessory. Some Siri requests require additional information from the user (for example, asking if the user wants to hear more options). In that case, the accessory receives an indication that the user should be prompted, and the additional audio is streamed to the HomePod.
The accessory is required to have a visual indicator to signal to a user when it’s actively listening (for example, an LED indicator). The accessory has no knowledge of the intent of the Siri request, except for access to the audio streams, and no user data is stored on the accessory.