iOS 7's Airplane mode 'can be exploited for iPhone account hijack attack'

iOS 7's Airplane mode 'can be exploited for iPhone account hijack attack'

Summary: German researchers show weakness of Apple making Airplane mode easier to access.

TOPICS: Security, Apple, iPhone

German security researchers have shown how an iPhone 5s thief can defeat attempts to remotely wipe the device and, with the help of a spoofed fingerprint, hijack the handset owner's iCloud and iTunes accounts.

Read this

iOS 7 review: Apple's mobile mid-life crisis?

iOS 7 review: Apple's mobile mid-life crisis?

iOS 7 had an extreme makeover, beauty pageant style, in a vastly aesthetic and design-focused release. Here's more.

Security researchers at German security firm SR Labs have shown that Apple's new iOS 7 Control Centre shortcut to Airplane mode, which can be accessed without requiring a passcode, could be a major vulnerability when it comes to physically stolen devices.

By turning on Airplane mode, the attacker can prevent the victim's attempts to remote wipe the device using Apple's Find My iPhone app through iCloud.

As the researchers show in a video on YouTube, it could give the attacker enough time to go about creating a spoofed fingerprint to bypass the the iPhone 5s' TouchID fingerprint reader and begin using password reset features to hijack the victim's iCloud and iTunes accounts, and any other linked accounts such as Gmail.

One of the main points of SR Lab's videos appears to be to show that the iPhone 5s TouchID fingerprint feature brings in new attack vectors for the Apple device and in some senses make it less secure than older handsets without biometric readers.

"The flaws listed at the end of the video outline what we consider to be steps Apple can take to mitigate security weaknesses that have been introduced or amplified by new features in iOS 7 and/or the iPhone 5s' TouchID fingerprint authentication system," SR Labs told ZDNet.

"Point 5 suggests that Apple fix a particularly significant flaw in the implementation of Find My iPhone that allows thieves to connect to the internet and receive emails (eg, password reset tokens) on a stolen device despite its being flagged for remote wipe. This is the flaw that allowed the thief in the video to hijack the victim's Apple ID, but it is the combination of all of the flaws or 'attack fragments' that in the end allow for full-scale device — and ID ownership —without any special software or impressive hacking skills."

SR Labs released released the hack shortly after German-based Chaos Computer Club (CCC) revealed its own method of spoofing fingerprints in order to bypass TouchID on the iPhone 5s.

SR Labs used an iPhone 4S to take a picture of latent fingerprints left on an iPhone 5s. Though the researchers claim it only took one hour to create a spoofed fingerprint, it's probably not going to be that easy for the average person, unless they have special equipment, such as a repurposed face-tanning bed, and the know-how to replicate the fingerprint.

Marc Rogers, principal security consultant at Lookout, used the same technique as SR Labs to spoof a fingerprint, which relied on over $1,000-worth of equipment and was what he called "a little bit in the realm of a John le Carré novel".  

Still, SR Labs's demo does highlight potential security problems in the way Apple has designed iOS 7. 

It's urging Apple to make Airplane mode inaccessible from the lockscreen by default, and require users to enter their PIN after switching on Airplane mode or removing the SIM. 

According to SR Labs, Apple should also warn users during Apple ID creation not to store login details for email accounts that password-reset emails would be sent to on their registered devices. It also wants Apple to differentiate between temporary and permanent loss scenarios. If it's the latter case, Apple should advise users to revoke the device's access to all accounts it has stored logins for. 

Finally, upon reconnecting to the internet, iOS should not allow email retrieval before the device's wipe or don't wipe status can be retrieved from iCloud.

Further reading

Topics: Security, Apple, iPhone

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Lessons Learned

    Apple will improve this process. Thanks to the German security workers at SR Labs who spent the time to research this.
    • No doubt

      Just don't expect Apple to admit their device has a problem.
      • Don't be stupid

        Apple fixes problems.

        They don't discuss security flaws until they are fixed and this is good practice.

        It's not smart to publicise ways to hack or steal a device and security researchers usually follow the same protocol and don't give out details to anyone but the vendor.

        This article is potentially an encouragement to thieves that really wasn't necessary. Although in this case it's a bit obvious anyway.

        To me it's obvious that Control screen on the lock screen has security implications including this one. It's a setting though and can be turned on or off.

        So did Apple think it had security implications? I think they thought that was obvious?
        • Where is this setting???

          Where is this setting? I had a friend who's phone was stolen and now is untrackable. Its an iPhone 4, but still had ios7 on it. We've looked for how to prevent this, and its impossible. I obviously don't want to have the same thing happen to mine, so if this setting exists, I would love to know.
          • The setting is in

            Go to settings and from there the "control center" settings, the first option should control if it is available from the lock screen.
        • If it's obvious, why has it not been fixed

          Sorry, but it wasn't obvious to me or several of my tech savvy friends until we were told. I actually didn't realise they had network controls exposed in lock mode.

          If it is obvious as you say, Why has Apple done this and to rub insult made the unsecure setting the default?
          I'm glad for this article because now I know about the vulnerability and switched the option off. Let's hope that Apple is paying attention and sorts it for the rest - sometimes these companies need a bit of a kick to take security seriously (and as you say it's an obvious issue so really if they haven't sorted it by now then a kick is prob in order, ms would've had it sorted by now after the hidings they got in the past)
    • Apple will GET better, BlackBerry is secure already

      Why does Apple always get a free pass?

      BlackBerry's Z10 is an iPhone equivalent, with similar specs and camera, with BlackBerry level security for a lower price!

      So where is the BlackBerry mention when Apple gets called out for security? Apple is mentioned when BlackBerry is criticized for lack of Angry Birds games...
  • This "exploit" still requires a good, valid print.

    If this is what's considered an "exploit" these days, consider this: removing the SIM card achieves the same thing. This is nothing more than an extension of the "spoof-a-print" exploit that still requires a hi-def capture of the owner's registered fingerprint which still has not been demonstrated as obtainable via any "normal" means. Also even IF they unlock the phone, how in the world would this allow them to "hijack" the owner's Apple ID without turning off Airplane mode thus making contact with Apple's servers and initiating the remote wipe? Can we stop spreading the FUD of this BS exploit?
    • Perhaps you should go back and re-read the article.

      Pay particular attention to this:

      "SR Labs used an iPhone 4S to take a picture of latent fingerprints left on an iPhone 5s. "

      IOW they got the prints right off of the device itself.
      • wow

        Is the iPhone 4S camera that good? ;-)
        • sort of

          The camera is on par with bb, android et al. So means pretty much ANY other cell could do the same
  • First...

    If you can't keep track of your phone, you shouldn't be doing anything important on it anyway. If it is REALLY an accidental loss (not a brain fart) then that wouldn't seem to be that common or that frequent that it would end up in someone's hands that would know how to do all this crap.

    But the real issue seems over and over to be the implementation of Control Panel BEFORE getting past the lock screen. Bad design decision. Like the camera, only items that really need to be outside of the lock screen should have been accessible (like the flashlight). But that is payback for now allowing active icons (except the camera) on the lock screen. That entire panel should not be accessible until the phone is unlocked. Of course, that is trivial since I bet a whole lot of people promptly turn off the security when they can.
    • Mugging

      Familiar with the term "Mugging"? If I stick a gun in your face are you going to hand over your phone or take a bullet? Or what if I literally snatch your phone out of hands and run off? In NYC that's called "Apple Picking".
      • RE: Mugging

        LOL at the "Apple Picking" comment but still, your average NYC mugger doesn't have the know-how to use $1,000 equipment to replicate an exact image of the print he forgot to take a picture of when they ran off with your phone.
        • mugging

          And, he is very likely more interested in making calls, or selling it for a supply of drugs, and would allow you time to find another iPhone user that would let you remote wipe the stolen phone in about a minute. The phone then loses most of its street value since he can't use it for anything but a paperweight.
        • Its a good thing technology never gets cheaper or easier to use

          Otherwise it might be a problem to litterally leave your password on everything a user happens to touch.

          It isn't like the fingerprint scanner resolves some issue where average muggers were able to bypass previous lock screen methods, but now they can't.
        • The mugger may not know how to do it,

          but there are certainly people who DO KNOW and would be willing to buy the phone. And their "street contact info" is probably well publicized.
        • Mugging...

          No, the guy doing the mugging doesn't. But the guy buying the stolen iPhones by the trash bag full will.
      • Apple Picking

        In California, it is now called "Temporary Taking". SAnd maybe the guy who steals your iPhone doesn't have $1000+ to buy equipment, but his boss or his boss's boss may have that.
      • Apple picking -

        in the Big Apple! LMAO -