updated 11:45 am EDT, Fri October 4, 2013
Airplane Mode, lack of warnings identified as soft spots
A new SRLabs video demonstrates one possible method of getting around both Touch ID and Activation Lock on a stolen iPhone 5s. The video points out that while Apple lets users locate and/or remotely wipe a device using the Find My iPhone app, a 5s can be set to Airplane Mode without unlocking if lockscreen access to Control Center is left enabled. Since Find My iPhone can only perform a wipe if a device is connected to the Internet, that may give a thief enough time to lift and mold a fingerprint to bypass TouchID, and begin hijacking Apple, Google, and other online accounts.
Some people may keep the email account necessary to hijack an Apple ID on their device, allowing a thief to connect a 5s to the Internet long enough to complete the hijack process, but not long enough for a triggered remote wipe to take effect. If the thief is successful, he or she should be able to defeat Activation Lock, unless the true owner can somehow reclaim his Apple ID or find the phone first.
SRLabs suggests several things Apple could do to mitigate the problem. These include making Airplane Mode inaccessible from the lockscreen by default, and warning people not to keep a password reset email account active on a mobile device. The outfit also recommends that Find My iPhone be able to distinguish between temporary and permanent loss scenarios, in the latter case urging people to immediately revoke the device's credentials for email, social networks, calling/SMS, and anything else that might be relevant. Apple is lastly asked to avoid displaying the length of the PIN code a person has to enter -- and/or whether a device has Touch ID active -- and to force iOS to check for remote wipe commands before it fetches email.