Researchers at SR Labs, a German security firm, have demonstrated a way to use Control Center and fake fingerprints to take control of a stolen iPhone 5S. It’s a far more complex attack than the one demonstrated last month, and takes into account a number of the other security features (and security flaws) in Apple’s system.
Instead of just breaking into someone’s phone, the attack goes one step further to take control of their Apple ID, which then allows an attacker to do a whole host of nefarious things including override the activation lock which would block them from activating the phone after it had been restored unless they had access to the user’s Apple ID password.
Here’s how it works:
As shown in the video, the attacker switches Airplane Mode on as they’re running away with the victim’s phone through Control Center, gains access to it through a fake fingerprint, and then gets into the victim’s iCloud account by requesting a password reset, which will allow them to disable the phone’s activation lock and gain permanent control of the phone.
This isn’t a foolproof method, mind you. One of the key components of the hack is getting the recovery email downloaded before the phone checks whether or not it’s flagged for erasure with Find my iPhone. If an attacker mis-times that window, the phone will get erased, with activation lock still in place.
While SR Labs has suggested a number of ways Apple can help its users, including making sure that the phone checks to see if it’s flagged for erasure before getting email (which seems like a no-brainer), iPhone owners can take steps to protect themselves before Apple takes action.
There were two major enablers to this attack: Control Center availability on the lock screen, and a lack of two-factor authentication on iCloud and your primary email account. If you solve those problems, you’re well on your way to protecting yourself against this attack.
While having access to Control Center on your lock screen is useful, it enables a whole host of functions that are open for exploitation. To disable it, open up your settings app, then go to Control Center, and toggle Access on Lock Screen off. You’ll still be able to use it by swiping up from the bottom of your iPhone’s screen when it’s unlocked, but now an attacker can’t use it to enable airplane mode without even having access to your phone first.
Adding two-factor authentication to your Apple ID is a slightly more involved process. Go to appleid.apple.com, sign in to your account, and go to the “Password and Security” settings, then click “Get Started” under Two-Factor Authentication. Follow the steps laid out, and Apple will give you a Recovery Key for your Apple ID. Now, when someone goes to reset your password, they’ll have to give Apple your recovery key and a code from your mobile device.
Most popular email providers also offer two-factor authentication, which will also help defend against this attack. Because iOS 7’s Mail app doesn’t support authentication through OAuth like some third party clients, you need to issue it a special password so that it can bypass your email provider’s two-factor requirement.
If someone makes off with your phone, you then have to go in to your iCloud and email accounts and revoke any access your phone might have to those accounts, by deleting application-specific passwords, locking your phone out of authenticator apps, and revoking the authorization you’ve given other apps. It’s certainly annoying, but it’s far better than the alternative of having your phone hijacked.
Finally, you want to make sure your phone’s lock screen is set up for multiple lines of defense. If the attacker’s attempt on your fingerprints doesn’t work, they’ll have to turn to your device’s password. Do yourself a favor, and set a complex passcode when you’re using Touch ID. It may be a bit of a pain whenever you actually have to enter it, but that’s leaps and bounds better than someone being able to just punch in 1234 and gain access to your device.
It’s worth noting that taking these precautions isn’t a replacement for keeping your device safe when you’re out and about. Just because you’ve taken these precautions doesn’t mean that you’re invulnerable, just better prepared.