iOS 7's Airplane mode 'can be exploited for iPhone account hijack attack'

German researchers show weakness of Apple making Airplane mode easier to access.
Written by Liam Tung, Contributing Writer

German security researchers have shown how an iPhone 5s thief can defeat attempts to remotely wipe the device and, with the help of a spoofed fingerprint, hijack the handset owner's iCloud and iTunes accounts.

Security researchers at German security firm SR Labs have shown that Apple's new iOS 7 Control Centre shortcut to Airplane mode, which can be accessed without requiring a passcode, could be a major vulnerability when it comes to physically stolen devices.

By turning on Airplane mode, the attacker can prevent the victim's attempts to remote wipe the device using Apple's Find My iPhone app through iCloud.

As the researchers show in a video on YouTube, it could give the attacker enough time to go about creating a spoofed fingerprint to bypass the the iPhone 5s' TouchID fingerprint reader and begin using password reset features to hijack the victim's iCloud and iTunes accounts, and any other linked accounts such as Gmail.

One of the main points of SR Lab's videos appears to be to show that the iPhone 5s TouchID fingerprint feature brings in new attack vectors for the Apple device and in some senses make it less secure than older handsets without biometric readers.

"The flaws listed at the end of the video outline what we consider to be steps Apple can take to mitigate security weaknesses that have been introduced or amplified by new features in iOS 7 and/or the iPhone 5s' TouchID fingerprint authentication system," SR Labs told ZDNet.

"Point 5 suggests that Apple fix a particularly significant flaw in the implementation of Find My iPhone that allows thieves to connect to the internet and receive emails (eg, password reset tokens) on a stolen device despite its being flagged for remote wipe. This is the flaw that allowed the thief in the video to hijack the victim's Apple ID, but it is the combination of all of the flaws or 'attack fragments' that in the end allow for full-scale device — and ID ownership —without any special software or impressive hacking skills."

SR Labs released released the hack shortly after German-based Chaos Computer Club (CCC) revealed its own method of spoofing fingerprints in order to bypass TouchID on the iPhone 5s.

SR Labs used an iPhone 4S to take a picture of latent fingerprints left on an iPhone 5s. Though the researchers claim it only took one hour to create a spoofed fingerprint, it's probably not going to be that easy for the average person, unless they have special equipment, such as a repurposed face-tanning bed, and the know-how to replicate the fingerprint.

Marc Rogers, principal security consultant at Lookout, used the same technique as SR Labs to spoof a fingerprint, which relied on over $1,000-worth of equipment and was what he called "a little bit in the realm of a John le Carré novel".  

Still, SR Labs's demo does highlight potential security problems in the way Apple has designed iOS 7. 

It's urging Apple to make Airplane mode inaccessible from the lockscreen by default, and require users to enter their PIN after switching on Airplane mode or removing the SIM. 

According to SR Labs, Apple should also warn users during Apple ID creation not to store login details for email accounts that password-reset emails would be sent to on their registered devices. It also wants Apple to differentiate between temporary and permanent loss scenarios. If it's the latter case, Apple should advise users to revoke the device's access to all accounts it has stored logins for. 

Finally, upon reconnecting to the internet, iOS should not allow email retrieval before the device's wipe or don't wipe status can be retrieved from iCloud.

Further reading

Editorial standards