Apple Inc.’s latest Operating System (OS), the iOS 7 appears to have a serious bug in it that can potentially allow a thief to bypass all security features.
iOS 7 had an additional layer of security inbuilt into the phone called the Activation Lock, which is hoped to make it extra difficult for thieves to steal an iPhone. However, a new bug discovered by Miguel Alvarado can easily bypass all the layers of security, reported 9to5mac.
In order to understand the bypass, let’s understand how Activation Lock works. After iOS 7, if users want to turn off ‘Find My iPhone’ or reset the device, the phone asks for their Apple ID and password. Users also have to enter their Apple ID and password to reactivate the device after resetting it. This system attempts to ensure that phone thieves can’t remove the account and in turn avoid being tracked through the Find My iPhone website.
However, as Miguel demonstrates in the video, the process is pretty easy to circumvent. The ‘thief’ first needs to tap both ‘delete account’ and the switch to disable ‘Find My iPhone’ at the same time in the iCloud Settings panel. If done correctly, the device prompts for the password. At this juncture the thief has to merely hold down the Power Button and shut down the phone.
Once the phone restarts, simply go into the iCloud settings panel and remove the account. At this point the ‘stolen’ iPhone doesn’t even ask for the password and instantly deletes the account! Once this is done, the thief can simply connect the iPhone to the PC or Mac and start iTunes to ‘restore’ the phone to the Factory settings or Default settings.
Apparently, poorly implemented locking mechanisms mean Activation Lock depends on Find My Phone and since the latter doesn’t exist anymore, the feature doesn’t start and allows the thief to have complete control over the device. This means that all the efforts designing and implementing two separate security layers have just been obliterated, reportedThe Times.
Fortunately, there is a simple solution. iPhone users who are on iOS7 or any earlier iteration, must turn on the Passcode feature. 9to5mac recommends keeping the timer short. This might prove cumbersome in everyday usage, but hopefully will prevent the thief from entering the settings panel and disabling the security features. As an added precaution, iPhone owners can turn on ‘Restrictions’, especially to the ‘Location Services’
Reports have appeared around the net that the same bypass technique even works on newer iPad Air. Hence the Passcode feature seems even more critical now.