HomeKit Routers: What are they?

When you buy through links in this article, I may earn an affiliate commission. Learn More.

At 2019’s World-Wide Developer’s Conference, Apple announced a couple of new features for their HomeKit smart home platform. One of these was HomeKit-enabled Routers, which add a whole host of extra security controls to address some of the biggest issues with connected smart devices.

While certified pure HomeKit accessories are pretty secure, with Apple-mandated end-to-end encryption and communication only with Apple devices, many HomeKit devices also support their maker’s own apps and online services, as well as other smart home platforms like Amazon’s Alexa.

In almost all of these cases, that means these devices need to access to the internet, and that can mean trouble.

It’s well understood by now that poorly written device firmware has resulted in countless cases of devices being recruited into botnets to wreak havoc on the target companies or the internet as a whole, or these devices can be co-opted to provide a beach head into private networks to steal personal and corporate data for extortion and fraud.

A comprehensive suite of firewall rules can stop these attacks in their tracks, but many home routers are simply not up to the task, nor do most people have any idea how to go about doing this without breaking their devices intended functionality. Apple aims to solve this for the masses.

What is a HomeKit Router?

Not to be confused with a HomeKit home hub, which helps run your HomeKit smart home, a HomeKit Router is simply a normal home WiFi router with some additional HomeKit support built in. A home hub is required to use these features, however.

HomeKit presentation, WWDC 2019 Keynote

HomeKit presentation, WWDC 2019 Keynote

Adding a supported router to your HomeKit setup enables some additional features in the Home app on your iPhone (or iPad) that allow you to control how your HomeKit accessories communicate. One of these is that you can view the status of any HomeKit compatible routers that you have added to your home, the other, and most important, is called HomeKit Accessory Security.

HomeKit Accessory Security is essentially a simplified user interface for creating a set of firewall rules on the router to limit what your accessories can talk to, and thus what can access them in return.

Once you have a compatible router added to HomeKit, you’ll get an extra option under Home Settings in the Home app called Wi-Fi Network and Routers. Under here you’ll see the routers connected, and the option to enable Accessory Security. Under that is a list of all your accessories and their current settings.

They’ll default to Auto to start. What that means is that the accessory maker can specify a list of services that are allowed and what they are used for. The router will allow access to those service only, and block everything else. Whether an accessory has such a list is up to the device maker.

Beyond the Auto setting, you can elect to specify two other options: Restrict to Home, which blocks all outside access, and No Restriction which will leave them as they were before.

Beyond these restrictions, your accessories will automatically be firewalled off from each other to prevent a compromised device being used to infiltrate further into your network.

How does this affect Accessory behavior?

Under all of these settings your HomeKit accessories will continue to function because they will always be permitted access to your home hubs. The Restrict to Home setting may have some effects where accessories use third party services for some features, and this includes firmware updates. You can always temporarily change the setting for a device to run those updates if necessary.

Restricting a smart device’s access to the internet, and just as importantly, other devices in your network, is an effective mitigation for attacks against the devices using flaws in their firmware as those flaws will likely be blocked for being exposed to the internet. Even if an allowed third party service is hacked giving attackers access to the device using it, the compromised device will be prevented from accessing anything else on your network, limiting the damage and protecting your personal data.

The result is a huge step forward in smart home security for the vast majority of users, but does come with the significant cost of new router hardware as the feature is only available on models that support the feature natively.

Which Routers are compatible?

Uptake of HomeKit-enabled router compatibility is still quite limited, with only two major brands having supported products on the market. According to one developer this is due to the complexity of the implementation, and the Apple’s rigorous certification requirements.

Amazon’s eero brand has now added support to their latest models, so you have a choice of the eero Mesh 5, dual-band eero 6 or tri-band eero Pro 6. Linksys has their newest WiFi 6 Linksys Velop mesh range, in the MX4200, MX8400, or MX12600 models.

Note that the eero 6 range only had support enabled in May 2021, so you may need a firmware update for it to be available depending on the build date of your hardware.