14 DAY TRIAL // New vulnerabilities discovered in Apple’s mobile software will prompt the Cupertino giant to act by releasing a new firmware update for all users of iOS 7, according to security researcher and hacker Steven De Franco, nicknamed iH8sn0w in jailbreaker circles.
Describing team doulCi’s Activation Lock circumvention, De Franco, called the bypass a “man-in-the-middle attack,” adding that “It seems like it’s a firmware related bug. So it would require a new update to patch it.”
Add the two WebKit flaws recently patched by Apple in desktop Safari (which should also be exhibited in mobile Safari without fail) and the Cupertino giant likely has at least three security flaws in need of patching on iOS. In other words, expect iOS 7.1.2 to drop relatively soon.
Team doulCi noted on Twitter that Apple has been slow to respond to their iCloud breach, answering their letters two months after the team warned the company of the flaws they’d discovered. Team members MerrukTechnolog & AquaXetine indicated that Apple’s late response met them with dismay, and that they decided to just delete the email response.
We’ve sent Apple a request to confirm that the company is at least working on patching this issue and will update this story when (if) we get a response.
In the meanwhile, it should be noted that no iPhone or iPad is safe from the Activation Lock flaw. Apple introduced this feature in iOS 7 to thwart iDevice thefts, essentially rendering any stolen iPhone or iPad unusable without their owner’s iCloud credentials.
However, as team doulCi has demonstrated, a vulnerability in iOS software can enable a person with physical access to the device (and its USB cable) to bypass this hurdle and restore the device to a usable state. What’s worse, the flaw can also open up the contents of the phone to the attacker/thief.
doulCi’s guys are offering up three Twitter threads as evidence that thousands of formerly-locked devices are now usable again. It’s reasonable to assume that among those iPhones and iPads are at least a few stolen units that didn’t deserve to be turned back on again.
In cases like these, Apple usually rushes out the update without putting it through any beta testing with the public (i.e. registered developers, not regular users). There’s no reason to believe things are any different now, so the company should be releasing iOS 7.1.2 any day now.
The Mac maker more often than not responds slowly to security matters, something they might want to change in a world where data stored on smartphones is of upmost importance.