Security firm says iPhone bug can thwart remote wipe

Written by

When you are at or near the top of a market, you become a target. Microsoft lived that life for many years. Now, the emergence of the mobile market has shifted the spotlight, as well as the security risk, over to iOS and Android. Though the rigor of Apple’s app inspection and certification process does keep the iOS app ecosystem significantly safer than Android, iOS devices are just as highly valued a target for hackers.

The point is, these attacks are going to keep coming. Apple’s job is to keep tweaking their processes to keep the bad guys at bay. So far, Apple has done their job well.

This new attack takes advantage of a flaw in the “Find my iPhone” process. The video below does an excellent job laying out the scenario. In a nutshell, the thief steals an iPhone and immediately turns on airplane mode to prevent the iPhone from being remotely wiped. This gives the thief enough time to break into your phone and use your credentials to reset your Apple ID password, take control of your phone, Apple account, and other accounts.

The video also offers 5 suggestions for fixing this problem:

  1. Apple should make Airplane Mode inaccessible from the lock screen by default and require a passcode – not just a fingerprint – any time Airplane Mode was activated or the SIM card was removed

  2. During Apple ID creation, Apple should warn users not to store credentials to password-reset accounts on their registered devices

  3. On Find My iPhone, Apple should differentiate between likely-temporary and likely-permanent loss scenarios, and in the latter, should advise users to immediately revoke the devices’s access to all accounts it has credentials for, e.g. email-, social media-, and telephony accounts

  4. The iOS lock screen should not display whether the phone is protected by a simple 4-digit PIN or a more complex passcode, and on devices with Touch ID, it should not display whether fingerprint authentication is being used

  5. Upon reconnecting to the Internet, iOS should not allow email retrieval before the device’s wipe- or don’t-wipe status can be retrieved

As with every other legitimate problem of this nature that Apple has faced, the problem has a fix. No doubt, Apple will do their analysis, find the best possible fix, and roll it out quickly so we can all sleep safely again.