Securing routers with HomeKit
Routers that support HomeKit let users improve the security of their home network by managing the Wi-Fi access that HomeKit accessories have to their local network and to the internet. The routers also support Private PSK (PPSK) authentication, so accessories can be added to the Wi-Fi network using a key that’s specific to the accessory and that can be revoked when needed. PPSK authentication improves security by not exposing the main Wi-Fi password to accessories, as well as by allowing the router to securely identify an accessory even if it were to change its MAC address.
Using the Home app, a user can configure access restrictions for groups of accessories as follows:
No restriction: Allow unrestricted access to the internet and the local network.
Automatic: This is the default setting. Allow access to the internet and the local network based on a list of internet sites and local ports provided to Apple by the accessory manufacturer. This list includes all sites and ports needed by the accessory to function properly. (No Restriction is in place until such a list is available.)
Restrict to Home: No access to the internet or the local network except for the connections required by HomeKit to discover and control the accessory from the local network (including from the home hub to support remote control).
A PPSK is a strong, accessory-specific WPA2 Personal pass-phrase that is automatically generated by HomeKit and revoked if and when the accessory is later removed from the Home. A PPSK is used when an accessory is added to the Wi-Fi network by HomeKit in a Home that has been configured with a HomeKit router; this addition is reflected as Wi-Fi Credential: HomeKit-managed on the settings screen for the accessory in the Home app. Accessories that were added to the Wi-Fi network before adding the router are reconfigured to use a PPSK if the accessory supports this; otherwise, they retain their existing credentials.
As an additional security measure, users must configure the HomeKit router using the router manufacturer’s app, so that the app can validate that users have access to the router and can add it to the Home app.