NviGate Systems
Well-Known Member
- Reaction score
- 1,164
- Location
- Vancouver
I just reported this bug to Apple today but wanted to share this as this could affect users who thought they had signed out of iCloud or if you have taken trade on a device that is running iOS 10. Always ensure that you check https://www.icloud.com/activationlock/ after having a client sign out of a device.
04-Oct-2016 09:06 PM
Area:
CloudKit (iCloud)
Summary:
If an iOS device is upgraded to iOS 10.0.2, an attacker may be able to bypass iCloud restrictions locally if no pass code is used on the device. The issue is how the iPad handles logout requests when no network connection exists. The iPad may show an error message that an account could not be created when in fact the desired action was to log out of an account.
Steps to Reproduce:
1.) Upgrade to iOS 10
2.) Disconnect from WiFi/Data
3.) Go to Settings
3.) Go to iCloud
4.) Tap Sign Out
5.) Error will be displayed that New Account could not be created.
Expected Results:
iOS should report that validation failed and account cannot be removed due to missing network connection.
Actual Results:
iOS removes affected account locallyand allows attacker to use device without previous iCloud account.
Keep in mind that Apple's Servers still register the old iCloud credentials, so any attempt to reset the device may still produce an iCloud locked device.
Version:
iOS 10.0.2 (14A456)
Notes:
This was only tested on a reclamation device that was confirmed iCloud Activation Lock enabled. No further testing done.
Configuration:
iPad Mini 2 Retina 16GB White
04-Oct-2016 09:06 PM
Area:
CloudKit (iCloud)
Summary:
If an iOS device is upgraded to iOS 10.0.2, an attacker may be able to bypass iCloud restrictions locally if no pass code is used on the device. The issue is how the iPad handles logout requests when no network connection exists. The iPad may show an error message that an account could not be created when in fact the desired action was to log out of an account.
Steps to Reproduce:
1.) Upgrade to iOS 10
2.) Disconnect from WiFi/Data
3.) Go to Settings
3.) Go to iCloud
4.) Tap Sign Out
5.) Error will be displayed that New Account could not be created.
Expected Results:
iOS should report that validation failed and account cannot be removed due to missing network connection.
Actual Results:
iOS removes affected account locallyand allows attacker to use device without previous iCloud account.
Keep in mind that Apple's Servers still register the old iCloud credentials, so any attempt to reset the device may still produce an iCloud locked device.
Version:
iOS 10.0.2 (14A456)
Notes:
This was only tested on a reclamation device that was confirmed iCloud Activation Lock enabled. No further testing done.
Configuration:
iPad Mini 2 Retina 16GB White
