Monday, April 7, 2014

[securityaffairs] New iOS 7 bug allows anyone to disable Find My iPhone feature

A new iOS 7 bug allows anyone to disable Find My iPhone feature and to bypass Activation Lock without user’s Apple credentials.

HAckers can bypass Find My iPhone feature, a new bug menaces the security of Apple iPhone users, a flaw recently discovered in iOS 7.1 allows thieves to disable Find My iPhone feature, remove iCloud and restore the mobile device without knowledge of the user’s Apple ID password.
A proof of concept was posted by 9to5mac.com, the video shows an iPhone that is hacked touching both the “Delete Account” icon and the toggle button, this sequence allows to disable Find My iPhone in the iCloud settings.  

When Apple presented its new feature called Activation Lock it announced that it will make it very hard for bad guys to prep it for resale, while the top lawyers from New York and San Francisco have sounded off on this new feature, describing  it as “an important first step towards ending the global epidemic of smartphone theft.”
Find my iPhone
Any possible abuse requires a user’s password as described by Apple
  • “Turning off Find My iPhone, erasing your device, reactivation, and signing out of iCloud requires your Apple ID password”
  • “A custom message can be displayed on your device even after a remote erase”
The new bug change the scenario, since Activation Lock requires Find My iPhone to be enabled, this feature won’t come online after a restore operation made by thieves. The consequences are serious in term of security for the users, a thief in fact can disable the Find My iPhone feature, remove iCloud, and restore the handset without having to provide the Apple ID credentials fro your iOS device.
Be aware, because to exploit the flaw in the iOS system the thief have to find the mobile unlocked, this is necessary to access the Settings app in the iPhone.  It is so important to avoid leaving unattended and unlocked the device, so activate the passcode lock or enable Touch ID feature.
Let’s wait for a prompt resolution of the bug.

No comments:

Post a Comment