iPhone and iPad Activation Lock Coming in iOS 7
Those of you who have been diligent in securing your iOS devices with passcodes, wiping and Find My iPhone, just to have a thief restore your device and keep on going – well – your prayers have been answered. Coming in iOS 7 is a great feature called ‘Activation Lock’.
With Activation Lock enabled, even if your iPhone or iPad is restored to its factory settings, the user will need to activate the device using the Apple ID of the previous user. Also, if the device was put into Lost Mode in Find My iPhone, the lock screen will continue to display the fact that it is lost until the device is activated.
This is a hugely useful feature that, if used properly, will make iPhones and iPads a significantly less attractive target to thieves, as the stolen devices would be rendered useless to them. It was nice to see Apple address one of the main concerns that users have been expressing about the bypass-ability of Find My iPhone. Check out Protecting and Recovering Your iPhone and iPad from Loss and Theft (will be updated soon with this new feature).
New Lockscreen Bypass in iOS 6.1
In a vulnerability that’s quite similar to one in iOS 4.1 a couple years ago, another lockscreen bypass has been discovered in iOS 6.1 which allows someone with physical access to your iPhone to make calls, view and modify your contacts, send an email to your contacts, listen to your voicemail, and access your photos (by attempting to add one of these to a contact).
The method for this bypass is fairly simple (see the video below for it in action):
- Swipe to unlock and then tap Emergency Call
- Make an emergency call (eg. 112/911) and immediately cancel it (please don’t unnecessarily call the emergency services ;)
- Press the power button twice
- Slide to unlock
- Hold down the power button for a couple seconds and then tap Emergency Call again.
- …
- Profit!
I should point out that this doesn’t seem to work on my iPhone 4 for some reason. Something does happen, but I just get a black screen until I press something whereupon I’m booted back to the lock screen.
New “Lost Mode” in Find My iPhone (iCloud)
With iOS 6, Apple will be releasing an updated set of web apps on iCloud.com, including Mail, Calendar, Notes, Reminders and Find My iPhone. Find My iPhone is a useful feature that allows you to track or wipe your iPhone, iPad or iPod Touch should it get lost or stolen. For more info check out my article on Protecting and Recovering Your iPhone and iPad from Loss and Theft. In this post I just want to point out the changes to Find My iPhone, in particular the new “Lost Mode”. Read more
There Is No Camera Lock Screen Bypass in iOS 5.1
There have been reports (and here) of iOS 5.1 containing a camera bypass tied to the new camera shortcut on the lock screen. The people who have reported this are sadly confused about the security timeout enforced by iOS’s Require Passcode setting (Settings > General > Passcode Lock > Require Passcode). If your Require Passcode setting is set to anything other than Immediately, then your device (and the camera roll from the camera shortcut) will be accessible for the entire duration of time specified (ie. 1 minute or 5 minutes).
As always, the best setting for Require Passcode is Immediately. That way you know that when you lock your device, it is actually locked, and will prevent someone from gaining access to it without the passcode within the minutes following the ‘lock’.
Sadly people seem all too eager to rush and report on iOS vulns before actually verifying them.
TDLR; There is no lock screen bypass in iOS 5.1 using the new camera shortcut. They were wrong.
Frequently Asked Questions About Find My iPhone (and iPad)
I’ve been getting a lot of hits for my article on Protecting and Recovering Your iPhone and iPad from Loss and Theft, and the search queries I’m seeing in my logs, together with the visitor comments, have raised a number of recurring questions. I’ve decided to publish this one-stop-shop of answers for all of the different queries that I see people searching for when they arrive. Although my article addresses a number of these, I wanted to put them all in one post for easy reference. I’ll update this post as new questions crop up. Here goes, in no particular order:
Charlie Miller Discovers iOS Code-Signing Bypass Vulnerability
Security researcher Charlie Miller (@0xcharlie) has discovered a significant flaw in iOS which may allow a malicious app on the App Store to download and execute arbitrary unsigned code. What this means for iPhone, iPad and iPod Touch users is that installing a malicious app may allow an attacker to obtain shell access to your device, and download contacts or images.
Apple reviews every app submitted to the App Store, which has meant that iOS users have not had to worry about outright malware. Since this vulnerability allows the apps to fetch code remotely, they can perform actions not reviewed by the App Store staff. Charlie had submitted a proof-of-concept app that was approved (see video below), but has since been removed by Apple.
The reason this vulnerability works is based around some changes Apple made in iOS 4.3 last year, which allowed Mobile Safari to run javascript at a more privileged level on the devices. This change required Apple to make an exception for Safari to execute unsigned code in a particular area of memory. Charlie Miller’s bug is allegedly a very unique case that allows any app to take advantage of this, and hence run their own unsigned code.
Charlie will be presenting the vulnerability in detail at the SysCan conference in Taiwan next week. Apple has already released a developer beta of iOS 5.0.1 which patches the recent iPad Smart Cover lock screen bypass, but I would not be at all surprised if they release another beta which includes a fix for this bug. Until then, be careful to only install apps from developers you trust.
[Update] Apple has kicked Charlie out of the Developer program. At first I felt that this was an extremely bad reaction on Apple’s part. That said, Apple is probably most upset that Charlie’s proof-of-concept app could have been installed by legitimate users. Regardless of Charlie’s intentions, this could constitute malware, and he should have removed the app as soon as he saw the flaw existed. The posting of his video above probably didn’t help matters either.
Securing Siri on a Locked iPhone 4S
Although I haven’t had the chance to play with her myself (does that sound wrong?), Siri seems like an awesome addition to the iPhone. It’s worth pointing out, however, that it is still possible to use Siri when the iPhone is locked – presumably for convenient ease-of-use. Unfortunately this means that anyone with physical access to your phone can access information including contacts, calendar items, SMS/iMessages, and also make calls and send emails or messages from you.
[Update] There have been a whole bunch of people crying about how this is a major security flaw. Just to dispel some of the myth… this is not a security flaw, it’s a design decision that Apple made based on usability. Yes, it’s a default setting that may introduce some vulnerabilities, but then again there are still lots of people who run around without passcodes. To be honest I’m usually the first to secure the hell out of everything, but in this case I feel they made the right decision for two reasons. First, Siri is obviously less useful as a hands-free assistant if you need to unlock your phone every time; and secondly making it easier to use will help drive the adoption of Siri.
Luckily Apple thought of this on at least two levels. First, if you ask Siri to unlock your iPhone she’ll respectfully tell you that she “can’t unlock your phone for you”. Secondly – and this is the important one – it is possible to disable the use of Siri when the iPhone is locked. The option now lives in Settings > General > Passcode Lock, where you can set Siri to Off.
Needless to say (contrary to the screenshot), I recommend setting ‘Require Passcode’ to Immediately, turn Simple Passcode off so you can set a 5-or-more-digit PIN, set ‘Siri’ to off to prevent access when your iPhone is locked, and turn on Erase Data after 10 failed passcode attempts.
Siri is great, but let’s not make it easy for someone to social-engineer her into betraying you. See my other post for more details on protecting your iPhone from loss and theft.
In other news… you can tell Siri to use a specific nickname when talking to you. It’s important to note, however, that the nickname will be put into your VCard. So be careful if you tell her to call you her pimp, and then send someone your contact details ;)
Key iOS Security Updates Patch PDF and Certificate Validation Vulnerabilities (4.3.4 and 4.3.5)
The two latest iOS updates are fairly significant in that they patch two critical vulnerabilities. iOS update 4.3.4 patched a number of bugs including comex’s PDF/FreeType vulnerability used to create the latest JailbreakMe exploit. If you’re a jailbreaker, it’s essential that you run comex’s ‘PDF Patcher 2’ within Cydia, in order to patch the underlying vulnerability. iOS update 4.3.5 released a couple days ago, patches a fairly significant bug in the way iOS validates SSL/TLS certificates. This vulnerability can allow an attacker to intercept and/or modify data protected within an SSL session without the user knowing it. This was possible to due the fact that iOS didn’t validate the basicContstrains parameter of SSL certificates in the chain.
If you’re only an occasional patcher – now is the time.
Jailbreak iOS 4.3.3 with JailbreakMe 3.0
JailbreakMe.com has been updated to allow easy untethered jailbreak of your iOS devices, just follow the instructions on the site. Thanks to a new PDF exploit from comex (with the help of chpwn), it is now possible to jailbreak iPhones, iPads (including iPad 2) and iPod Touches running iOS 4.3.3 (note this doesn’t yet include any versions below that). During the jailbreak, saurik’s Cydia app store is automatically installed.
Interestingly, users with jailbroken devices can protect themselves by patching the PDF vulnerability by using ‘PDF Patcher 2’ in Cydia. Normal users will have to wait for iOS 4.3.4 from Apple. Note, however, that having a jailbroken iPhone or iPad still makes you slightly more vulnerable to other attacks, as the iOS sandbox is essentially bypassed.
Find My iPhone Brings Improved Offline Device Support
Apple has released an update to their free Find My iPhone offering, which greatly improves the support for tracking devices that are offline at the time. Note that this doesn’t mean you can track an iPhone or iPad that is turned off, or out of signal range (not possible). Instead, if a device is offline when you try to locate it, Apple will later send you an email with its location the next time that device gets back online. Thanks to this, it’s no longer necessary to constantly be checking the Find My iPhone app/webpage. Here is Apple’s summary of the changes:
- When you are unable to locate a device because it is offline, you will receive an email if the device comes online and is located.
- Ability to remove an offline device from the list using the app.
Note, it appears this updated feature is only available using the Find My iPhone app (version 1.2) available in the App Store – it is not yet available in the MobileMe web interface. I assume it won’t be updated until the new iCloud Find My iPhone web interface is launched. [Update: I was right.]
For more information on how to use this great free service to recover your iOS devices, check out Protecting and Recovering Your iPhone and iPad from Loss and Theft.
Loading ...
